feat: add core data collection for eks coverage

[reecebedding]

Summary by CodeRabbit

Release Notes

• New Features

  • Added AWS EKS resource policy evaluation for clusters, node groups, and add-ons
  • Added multi-region support with configurable region selection

• Documentation

  • Updated plugin documentation with AWS EKS-specific configuration, IAM permissions, and usage instructions

• Tests

  • Added comprehensive test coverage for EKS resource evaluation, configuration parsing, and evidence generation

[coderabbitai]

Warning

Review limit reached

@saltpy-cs, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 16 minutes and 46 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 33bd62f6-f098-49d1-ac68-2df499c44ed0

📥 Commits

Reviewing files that changed from the base of the PR and between 21842ab and 06270fa.

📒 Files selected for processing (5)

• Makefile
• internal/addon_context_test.go
• internal/cluster_context_test.go
• internal/nodegroup_context_test.go
• subject_templates_test.go

📝 Walkthrough

Walkthrough

This PR transforms a generic CCF plugin template into a fully functional AWS EKS compliance plugin. It introduces AWS SDK integration, region-scoped data collection from EKS APIs, per-resource policy evaluation with context enrichment, and proto/CCF subject templates for resource identification and labeling.

Changes

AWS EKS Compliance Plugin Implementation

Layer / File(s)	Summary
Project Identity and Build Configuration .gitignore, Makefile, README.md, go.mod	Module renamed to plugin-aws-eks with AWS SDK v2 dependencies added (aws-sdk-go-v2, EKS service, config). Build target simplified to go build -o dist/plugin .. README replaced with EKS-specific documentation covering supported resources, integration via gRPC, policy bundle mappings, and deployment instructions.
Type System, Configuration, and Utilities internal/types.go, internal/config.go, internal/config_test.go, internal/util.go	Resource type enums (cluster, nodegroup, addon) with metadata lookups. Region parsing from config regions field, fallback to region field, then AWS_REGION environment variable, defaulting to us-east-1. Helper functions for region resolution and JSON-to-map conversion.
Regional EKS Data Collection internal/region_datasets.go, internal/region_datasets_test.go	Abstracts EKS API operations via EKSClient interface. CollectRegionDatasets conditionally fetches clusters, nodegroups, and addons with pagination, full resource detail via describe calls, and aggregated error reporting. Reuses cluster list for nodegroup/addon scoping.
Evidence Context Builders internal/evidence.go, internal/evidence_labels_test.go	Constructs protobuf evidence contexts for clusters, nodegroups, addons with inventory items, resource-specific labels, component/subject mappings. Validates label keys use underscore notation. Includes nil-safe helpers for cluster endpoint access flags.
Generic Policy Evaluation Framework internal/policy_evaluation.go	Generic EvaluateResources[T] function orchestrates per-resource evaluation: builds evidence context/input, generates policies for each path, handles input-build errors, accumulates non-fatal errors, sends evidences via API helper. Supports optional post-processing and evidence title prefixing.
Cluster Policy Evaluation internal/cluster.go, internal/cluster_context_test.go	EvaluateClusterPolicies runs cluster policies through generic evaluator. BuildClusterPolicyInput enriches cluster with supplementary context: health metrics, logging types, encryption/auth config, endpoint access, related nodegroup/addon counts and names.
Nodegroup and Addon Policy Evaluation internal/nodegroup.go, internal/nodegroup_context_test.go, internal/addon.go, internal/addon_context_test.go	Similar per-resource evaluation for nodegroups (capacity, scaling headroom, health) and addons (health, ownership). Each builds supplementary context with current metrics, cluster relationships, and tag/feature flags.
Subject Templates and CCF Integration subject_templates.go, subject_templates_test.go	Defines three EKS subject templates (aws-eks-cluster, aws-eks-nodegroup, aws-eks-addon) with title/description/purpose templates, identity/selector label keys, and per-resource label schemas. Validates template rendering and underscore-only naming.
Main Plugin Lifecycle and Orchestration main.go, main_test.go	Reworked CompliancePlugin.Eval with behavior-driven routing: maps policy bundles to EKS resource behaviors, computes required datasets per behavior, loads AWS SDK config per region, collects EKS data, evaluates matched resource types, accumulates errors, returns SUCCESS/FAILURE. Tests validate behavior mapping, dataset requirements, and policy path partitioning.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 A plugin springs to life, with clusters in tow,
AWS EKS data in regions will flow,
Policies evaluated on nodegroups and add-ons,
Evidence gathered where compliance goes on! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding core data collection functionality for AWS EKS coverage, which is the central focus of this comprehensive PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[saltpy-cs]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Makefile (1)

26-30: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Declare non-file targets as PHONY.

The test and clean targets do not produce output files with those names, so they should be declared .PHONY to ensure make always executes them even if files named test or clean exist.

📋 Proposed fix

Add this line near the top of the Makefile (e.g., after line 16):

+.PHONY: test clean build run
+
 ##@ Help

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 26 - 30, Add a .PHONY declaration for the non-file
targets so make always runs them: declare .PHONY: test clean (referencing the
Makefile targets test and clean) near the top of the Makefile (e.g., after other
declarations) to ensure the test and clean targets are treated as phony and run
even if files with those names exist.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 3: The go.mod currently pins the module to "go 1.26.1" which has known
stdlib security advisories; update the Go toolchain version directive in go.mod
from "go 1.26.1" to a patched release (e.g., the next patched minor/patch
version once available) to eliminate the reported vulnerabilities, run `go mod
tidy` and re-run your build/tests to ensure compatibility after changing the
"go" directive.

In `@internal/addon_context_test.go`:
- Around line 34-47: The test currently uses unchecked assertions for
input["addon_context"] and contextMap["current"] which will panic on mismatch;
update the assertions in internal/addon_context_test.go to use comma-ok checks
(e.g., capture ok when converting input["addon_context"] to
map[string]interface{} and when converting current), and on failure call
t.Fatalf with clear messages including the actual value/type; similarly guard
the has_service_account_role check by asserting its type (bool) with an ok check
and fail with a diagnostic message if missing or wrong type, and explicitly
verify presence of contextMap["cluster"] with a descriptive t.Fatal if nil.

In `@internal/cluster_context_test.go`:
- Around line 62-80: The test currently uses unchecked type assertions on
input["cluster_context"], contextMap["current"], and
current["active_related_managed_addon_names"] which will panic with little
diagnostic info; update the test to perform checked type assertions (ok, ok :=
...) when assigning contextMap, current, and activeAddons and call t.Fatalf with
clear messages when assertions fail, then proceed to check field values
(cluster_name, authentication_mode, secrets_encryption_configured,
related_managed_addon_count, and activeAddons contents) only after the types are
confirmed; reference the variables contextMap, current, and activeAddons in your
changes.

In `@internal/cluster.go`:
- Around line 46-78: The build fails because helper functions
clusterEndpointPublicAccess and clusterEndpointPrivateAccess are referenced but
not implemented; add two functions that accept types.Cluster, check for a nil
cluster.ResourcesVpcConfig, and return
aws.ToBool(cluster.ResourcesVpcConfig.EndpointPublicAccess) and
aws.ToBool(cluster.ResourcesVpcConfig.EndpointPrivateAccess) respectively
(mirror the nil-safe pattern used in clusterPublicAccessCidrs), and place them
alongside the other cluster helper functions (e.g., after
clusterPublicAccessCidrs) so calls from buildClusterSupplementaryContext
compile.

In `@internal/nodegroup_context_test.go`:
- Around line 40-56: The test uses unchecked type assertions on
input["nodegroup_context"] and contextMap["current"] (symbols: contextMap,
current, nodegroup_context) which will panic on mismatch; change them to checked
assertions (e.g., v, ok := input["nodegroup_context"].(map[string]interface{})
and cur, ok := contextMap["current"].(map[string]interface{})) and add t.Fatalf
messages that report the actual type/value when ok is false; also update
subsequent checks that compare fields like current["cluster_name"],
current["subnet_count"], current["scale_out_headroom"],
current["desired_at_or_above_min"] to use the safely-asserted cur variable and
keep the existing assertion for contextMap["cluster"] presence.

In `@subject_templates_test.go`:
- Around line 69-117: The test currently accesses proto fields directly (e.g.,
subjectTemplate.Name, subjectTemplate.TitleTemplate, DescriptionTemplate,
PurposeTemplate) which can be made nil-safe by using the generated proto getter
methods; update TestSubjectTemplateTitleAndDescriptionRenderWithUnderscoreLabels
and renderSubjectTemplate to call subjectTemplate.GetName(),
subjectTemplate.GetTitleTemplate(), subjectTemplate.GetDescriptionTemplate(),
and subjectTemplate.GetPurposeTemplate() (and use those getters wherever the
fields are referenced in error messages and template parsing) to guard against
nil proto fields.

---

Outside diff comments:
In `@Makefile`:
- Around line 26-30: Add a .PHONY declaration for the non-file targets so make
always runs them: declare .PHONY: test clean (referencing the Makefile targets
test and clean) near the top of the Makefile (e.g., after other declarations) to
ensure the test and clean targets are treated as phony and run even if files
with those names exist.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 0216e949-9659-41bb-a1d4-39e8da287ad7

📥 Commits

Reviewing files that changed from the base of the PR and between 57c4056 and 21842ab.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (25)

• .gitignore
• Makefile
• README.md
• go.mod
• internal/addon.go
• internal/addon_context_test.go
• internal/cluster.go
• internal/cluster_context_test.go
• internal/config.go
• internal/config_test.go
• internal/data.go
• internal/eval.go
• internal/evidence.go
• internal/evidence_labels_test.go
• internal/nodegroup.go
• internal/nodegroup_context_test.go
• internal/policy_evaluation.go
• internal/region_datasets.go
• internal/region_datasets_test.go
• internal/types.go
• internal/util.go
• main.go
• main_test.go
• subject_templates.go
• subject_templates_test.go

💤 Files with no reviewable changes (2)

• internal/data.go
• internal/eval.go

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Go 1.26.1 has known security advisories.

OSV Scanner reports 18 LOW severity vulnerabilities in Go 1.26.1 stdlib (e.g., GO-2026-4864 through GO-2026-5039), including issues in crypto/x509, html/template, net/http, and other stdlib packages. Consider upgrading to a patched Go version when available.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, The go.mod currently pins the module to "go 1.26.1" which
has known stdlib security advisories; update the Go toolchain version directive
in go.mod from "go 1.26.1" to a patched release (e.g., the next patched
minor/patch version once available) to eliminate the reported vulnerabilities,
run `go mod tidy` and re-run your build/tests to ensure compatibility after
changing the "go" directive.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Missing helper function implementations will prevent compilation.

Lines 59-60 call clusterEndpointPublicAccess and clusterEndpointPrivateAccess, but these functions are not defined anywhere in the provided files. Based on the test fixture (cluster_context_test.go lines 25-29) and the similar pattern used by clusterPublicAccessCidrs (lines 91-96), these functions should safely extract boolean endpoint access flags from cluster.ResourcesVpcConfig.

🔧 Proposed implementation

Add these helper functions after line 96:

+func clusterEndpointPublicAccess(cluster types.Cluster) bool {
+	if cluster.ResourcesVpcConfig == nil {
+		return false
+	}
+	return cluster.ResourcesVpcConfig.EndpointPublicAccess
+}
+
+func clusterEndpointPrivateAccess(cluster types.Cluster) bool {
+	if cluster.ResourcesVpcConfig == nil {
+		return false
+	}
+	return cluster.ResourcesVpcConfig.EndpointPrivateAccess
+}
+

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func buildClusterSupplementaryContext(cluster types.Cluster, region string, datasets RegionDatasets) map[string]interface{} {
	clusterName := aws.ToString(cluster.Name)
	return map[string]interface{}{
	"current": map[string]interface{}{
	"cluster_name": clusterName,
	"cluster_arn": aws.ToString(cluster.Arn),
	"region": region,
	"status": string(cluster.Status),
	"version": aws.ToString(cluster.Version),
	"platform_version": aws.ToString(cluster.PlatformVersion),
	"health_issue_count": clusterHealthIssueCount(cluster),
	"tags_present": len(cluster.Tags) > 0,
	"endpoint_public_access": clusterEndpointPublicAccess(cluster),
	"endpoint_private_access": clusterEndpointPrivateAccess(cluster),
	"public_access_cidrs": clusterPublicAccessCidrs(cluster),
	"enabled_control_plane_log_types": enabledControlPlaneLogTypes(cluster),
	"authentication_mode": clusterAuthenticationMode(cluster),
	"bootstrap_creator_admin_permissions": clusterBootstrapCreatorAdminPermissions(cluster),
	"secrets_encryption_configured": clusterSecretsEncryptionConfigured(cluster),
	"secrets_encryption_customer_key_arns": clusterSecretsEncryptionKeyARNs(cluster),
	"deletion_protection": aws.ToBool(cluster.DeletionProtection),
	"related_managed_nodegroup_count": len(filterNodegroupsByCluster(datasets.Nodegroups, clusterName)),
	"related_managed_addon_count": len(filterAddonsByCluster(datasets.Addons, clusterName)),
	"related_managed_addon_names": addonNames(filterAddonsByCluster(datasets.Addons, clusterName)),
	"active_related_managed_addon_names": activeAddonNames(filterAddonsByCluster(datasets.Addons, clusterName)),
	"related_managed_nodegroup_names": nodegroupNames(filterNodegroupsByCluster(datasets.Nodegroups, clusterName)),
	"active_related_managed_nodegroup_names": activeNodegroupNames(filterNodegroupsByCluster(datasets.Nodegroups, clusterName)),
	},
	"addons": filterAddonsByCluster(datasets.Addons, clusterName),
	"nodegroups": filterNodegroupsByCluster(datasets.Nodegroups, clusterName),
	}
	}
	func clusterEndpointPublicAccess(cluster types.Cluster) bool {
	if cluster.ResourcesVpcConfig == nil {
	return false
	}
	return aws.ToBool(cluster.ResourcesVpcConfig.EndpointPublicAccess)
	}
	func clusterEndpointPrivateAccess(cluster types.Cluster) bool {
	if cluster.ResourcesVpcConfig == nil {
	return false
	}
	return aws.ToBool(cluster.ResourcesVpcConfig.EndpointPrivateAccess)
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/cluster.go` around lines 46 - 78, The build fails because helper
functions clusterEndpointPublicAccess and clusterEndpointPrivateAccess are
referenced but not implemented; add two functions that accept types.Cluster,
check for a nil cluster.ResourcesVpcConfig, and return
aws.ToBool(cluster.ResourcesVpcConfig.EndpointPublicAccess) and
aws.ToBool(cluster.ResourcesVpcConfig.EndpointPrivateAccess) respectively
(mirror the nil-safe pattern used in clusterPublicAccessCidrs), and place them
alongside the other cluster helper functions (e.g., after
clusterPublicAccessCidrs) so calls from buildClusterSupplementaryContext
compile.