This plugin collects read-only Amazon EKS data, evaluates CCF Rego policy bundles, and emits evidence back through the CCF agent.
The collector evaluates policies for:
- EKS clusters
- EKS managed node groups
- EKS managed add-ons
The CCF agent starts this binary through HashiCorp go-plugin, passes configuration and policy paths over gRPC, and receives generated evidence through the runner callback. This repository does not call the CCF API directly.
| Repository | Behavior | Primary input |
|---|---|---|
plugin-aws-eks-policies |
cluster |
input.cluster + input.cluster_context |
plugin-aws-eks-nodegroup-policies |
nodegroup |
input.nodegroup + input.nodegroup_context |
plugin-aws-eks-addon-policies |
addon |
input.addon + input.addon_context |
Each bundle evaluates one resource family at a time. Cluster context includes summarized related managed node groups and add-ons so cluster-level policies can check required add-ons without evaluating add-on policies against cluster input.
The plugin expects:
- AWS credentials through the default AWS SDK credential chain
- target regions from
config.regionsorconfig.region AWS_REGIONas a fallback when plugin config does not provide a region
Any agent-supplied policy_data is passed through to Rego as data.*.
Example agent plugin config:
plugins:
aws-eks:
protocol_version: 2
source: /path/to/dist/plugin
config:
regions: "eu-west-2,us-east-1"
policies:
- /path/to/plugin-aws-eks-policies/dist/bundle.tar.gz
- /path/to/plugin-aws-eks-nodegroup-policies/dist/bundle.tar.gz
- /path/to/plugin-aws-eks-addon-policies/dist/bundle.tar.gzDepending on the selected policy bundles, the plugin collects and reuses:
ListClustersandDescribeClusterListNodegroupsandDescribeNodegroupListAddonsandDescribeAddon
The plugin collects shared regional datasets once and reuses them across resource-family evaluation to reduce AWS API calls.
The AWS principal used by the plugin needs read-only EKS permissions for the configured regions:
{
"Effect": "Allow",
"Action": [
"eks:ListClusters",
"eks:DescribeCluster",
"eks:ListNodegroups",
"eks:DescribeNodegroup",
"eks:ListAddons",
"eks:DescribeAddon"
],
"Resource": "*"
}Run the local test suite with:
go test ./...Or use the Makefile wrapper:
make testBuild the plugin binary with:
make buildThis writes the compiled plugin to dist/plugin.