Skip to content

[IT-5076] Pin Spot Ocean worker AMI floor for CVE-2026-31431#87

Open
BryanFauble wants to merge 1 commit into
mainfrom
it-5076-minimum-aws-ami
Open

[IT-5076] Pin Spot Ocean worker AMI floor for CVE-2026-31431#87
BryanFauble wants to merge 1 commit into
mainfrom
it-5076-minimum-aws-ami

Conversation

@BryanFauble
Copy link
Copy Markdown
Contributor

@BryanFauble BryanFauble commented May 18, 2026
edited
Loading

Summary

  • Adds a single eks_min_ami_release_date knob in deployments/main.tf (currently 20260505) and threads it through the Spacelift wrapper and dpe-k8s-deployments stack into modules/sage-aws-k8s-node-autoscaler.
  • The autoscaler module resolves the AL2023 EKS-optimized AMI via an aws_ami data source filtered on amazon-eks-node-al2023-x86_64-standard-<k8s-version>-v<date>* and pins the result onto module "ocean-aws-k8s" via ami_id.
  • Spot Ocean was previously auto-selecting AMIs below the v20260505 patched release flagged by NIH STRIDES for CVE-2026-31431 (Linux kernel LPE). With this change, future CVE bumps are a one-line change to the local at the top of the stack.

Test plan

I deployed some changes to the EKS DEV cluster to use a minimum AMI version strategy. I checked into the instance provisioner that we use and verified that this is ok per the remediation path in the parent ticket EKS: Update your Node Groups to the latest AMI Release (v20260505 or later).

{
  "architecture": "x86_64",
  "creationDate": "2026-05-05T23:23:14.000Z",
  "imageId": "ami-0bb984622f47bb856",
  "imageLocation": "amazon/amazon-eks-node-al2023-x86_64-standard-1.33-v20260505",
  "imageType": "machine",
  "public": true,
  "ownerId": "602401143452",
  "platformDetails": "Linux/UNIX",
  "usageOperation": "RunInstances",
  "productCodes": [],
  "state": "available",
  "blockDeviceMappings": [
    {
      "deviceName": "/dev/xvda",
      "ebs": {
        "deleteOnTermination": true,
        "iops": 3000,
        "snapshotId": "snap-0c6977b261a80aa51",
        "volumeSize": 20,
        "volumeType": "gp3",
        "throughput": 125,
        "encrypted": false
      }
    }
  ],
  "description": "EKS-optimized Kubernetes node based on Amazon Linux 2023, (k8s: 1.33.11, containerd: 2.*)",
  "enaSupport": true,
  "hypervisor": "xen",
  "imageOwnerAlias": "amazon",
  "name": "amazon-eks-node-al2023-x86_64-standard-1.33-v20260505",
  "rootDeviceName": "/dev/xvda",
  "rootDeviceType": "ebs",
  "sriovNetSupport": "simple",
  "tags": [],
  "virtualizationType": "hvm",
  "bootMode": "uefi-preferred",
  "deprecationTime": "2028-05-05T23:23:14.000Z",
  "imdsSupport": "v2.0"
}

@BryanFauble
[IT-5076] Pin Spot Ocean worker AMI floor for CVE-2026-31431
8abdb0d 
Spot Ocean was auto-selecting AL2023 EKS-optimized AMIs that fall below
the v20260505 patched release for CVE-2026-31431 (Linux kernel LPE).

Threads `eks_min_ami_release_date` from a single local in
deployments/main.tf through the Spacelift wrapper and dpe-k8s-deployments
stack into modules/sage-aws-k8s-node-autoscaler, where an aws_ami data
source filters by name prefix
`amazon-eks-node-al2023-x86_64-standard-<k8s-version>-v<date>*` and pins
the resolved id onto module "ocean-aws-k8s".

Future CVE bumps are a one-line change to the local.
@BryanFauble BryanFauble requested a review from a team as a code owner May 18, 2026 21:03
@thomasyu888 thomasyu888 requested review from linglp and thomasyu888 May 19, 2026 16:01
thomasyu888
thomasyu888 approved these changes May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@thomasyu888 thomasyu888 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔥 LGTM! Thanks for putting this together.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thomasyu888 thomasyu888 thomasyu888 approved these changes

@linglp linglp Awaiting requested review from linglp

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BryanFauble @thomasyu888