From 8abdb0d2b79c6d32afead6c61a8c4b828a273a07 Mon Sep 17 00:00:00 2001 From: BryanFauble <17128019+BryanFauble@users.noreply.github.com> Date: Mon, 18 May 2026 21:03:39 +0000 Subject: [PATCH] [IT-5076] Pin Spot Ocean worker AMI floor for CVE-2026-31431 Spot Ocean was auto-selecting AL2023 EKS-optimized AMIs that fall below the v20260505 patched release for CVE-2026-31431 (Linux kernel LPE). Threads `eks_min_ami_release_date` from a single local in deployments/main.tf through the Spacelift wrapper and dpe-k8s-deployments stack into modules/sage-aws-k8s-node-autoscaler, where an aws_ami data source filters by name prefix `amazon-eks-node-al2023-x86_64-standard--v*` and pins the resolved id onto module "ocean-aws-k8s". Future CVE bumps are a one-line change to the local. --- deployments/main.tf | 13 +++++++++++ deployments/spacelift/dpe-k8s/main.tf | 23 ++++++++++--------- deployments/spacelift/dpe-k8s/variables.tf | 5 ++++ .../stacks/dpe-k8s-deployments/main.tf | 1 + .../stacks/dpe-k8s-deployments/variables.tf | 5 ++++ modules/sage-aws-k8s-node-autoscaler/data.tf | 15 ++++++++++++ modules/sage-aws-k8s-node-autoscaler/main.tf | 1 + .../sage-aws-k8s-node-autoscaler/variables.tf | 5 ++++ 8 files changed, 57 insertions(+), 11 deletions(-) diff --git a/deployments/main.tf b/deployments/main.tf index 54b9ec2e..881b8e3d 100644 --- a/deployments/main.tf +++ b/deployments/main.tf @@ -1,3 +1,10 @@ +locals { + # Minimum AL2023 EKS-optimized AMI release date (YYYYMMDD). + # Acts as a floor for the Spot Ocean worker AMI lookup. Bump for kernel CVE + # remediations (e.g., CVE-2026-31431 → v20260505 or later). + eks_min_ami_release_date = "20260505" +} + resource "spacelift_space" "development" { name = "development" parent_space_id = var.parent_space_id @@ -59,6 +66,8 @@ module "dpe-sandbox-spacelift-development" { ses_email_identities = ["aws-dpe-dev@sagebase.org"] # Defines the email address that will be used as the sender of the email alerts smtp_from = "aws-dpe-dev@sagebase.org" + + eks_min_ami_release_date = local.eks_min_ami_release_date } module "dpe-sandbox-spacelift-staging" { @@ -99,6 +108,8 @@ module "dpe-sandbox-spacelift-staging" { ssl_hostname = "staging.sagedpe.org" ses_email_identities = [] smtp_from = "" + + eks_min_ami_release_date = local.eks_min_ami_release_date } module "dpe-sandbox-spacelift-production" { @@ -140,6 +151,8 @@ module "dpe-sandbox-spacelift-production" { ses_email_identities = ["dpe@sagebase.org"] # Defines the email address that will be used as the sender of the email alerts smtp_from = "dpe@sagebase.org" + + eks_min_ami_release_date = local.eks_min_ami_release_date } module "snowflake-spacelift-development" { diff --git a/deployments/spacelift/dpe-k8s/main.tf b/deployments/spacelift/dpe-k8s/main.tf index 22e3b420..ab7e5fa3 100644 --- a/deployments/spacelift/dpe-k8s/main.tf +++ b/deployments/spacelift/dpe-k8s/main.tf @@ -19,17 +19,18 @@ locals { } k8s_stack_deployments_variables = { - spotinst_account = var.spotinst_account - vpc_cidr_block = var.vpc_cidr_block - cluster_name = var.cluster_name - auto_deploy = var.auto_deploy - auto_prune = var.auto_prune - git_revision = var.git_branch - aws_account_id = var.aws_account_id - enable_cluster_ingress = var.enable_cluster_ingress - enable_otel_ingress = var.enable_otel_ingress - ssl_hostname = var.ssl_hostname - smtp_from = var.smtp_from + spotinst_account = var.spotinst_account + vpc_cidr_block = var.vpc_cidr_block + cluster_name = var.cluster_name + auto_deploy = var.auto_deploy + auto_prune = var.auto_prune + git_revision = var.git_branch + aws_account_id = var.aws_account_id + enable_cluster_ingress = var.enable_cluster_ingress + enable_otel_ingress = var.enable_otel_ingress + ssl_hostname = var.ssl_hostname + smtp_from = var.smtp_from + eks_min_ami_release_date = var.eks_min_ami_release_date } # Variables to be passed from the k8s stack to the deployments stack diff --git a/deployments/spacelift/dpe-k8s/variables.tf b/deployments/spacelift/dpe-k8s/variables.tf index 06fd21b2..8313efc6 100644 --- a/deployments/spacelift/dpe-k8s/variables.tf +++ b/deployments/spacelift/dpe-k8s/variables.tf @@ -175,3 +175,8 @@ variable "smtp_from" { type = string default = "" } + +variable "eks_min_ami_release_date" { + description = "Minimum AL2023 EKS-optimized AMI release date (YYYYMMDD). Acts as a floor for the aws_ami lookup that pins the Spot Ocean image_id." + type = string +} diff --git a/deployments/stacks/dpe-k8s-deployments/main.tf b/deployments/stacks/dpe-k8s-deployments/main.tf index 27744f55..08f59904 100644 --- a/deployments/stacks/dpe-k8s-deployments/main.tf +++ b/deployments/stacks/dpe-k8s-deployments/main.tf @@ -12,6 +12,7 @@ module "sage-aws-eks-autoscaler" { spotinst_account = var.spotinst_account single_az = false desired_capacity = 3 + min_ami_release_date = var.eks_min_ami_release_date } module "sage-aws-eks-addons" { diff --git a/deployments/stacks/dpe-k8s-deployments/variables.tf b/deployments/stacks/dpe-k8s-deployments/variables.tf index 9fe95a0b..4ab987f3 100644 --- a/deployments/stacks/dpe-k8s-deployments/variables.tf +++ b/deployments/stacks/dpe-k8s-deployments/variables.tf @@ -109,3 +109,8 @@ variable "docker_access_token" { type = string default = "" } + +variable "eks_min_ami_release_date" { + description = "Minimum AL2023 EKS-optimized AMI release date (YYYYMMDD)." + type = string +} diff --git a/modules/sage-aws-k8s-node-autoscaler/data.tf b/modules/sage-aws-k8s-node-autoscaler/data.tf index 2d884fa9..12a4e296 100644 --- a/modules/sage-aws-k8s-node-autoscaler/data.tf +++ b/modules/sage-aws-k8s-node-autoscaler/data.tf @@ -14,3 +14,18 @@ data "aws_secretsmanager_secret_version" "secret_credentials" { secret_id = data.aws_secretsmanager_secret.spotinst_token.id } +data "aws_ami" "eks_worker_al2023" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["amazon-eks-node-al2023-x86_64-standard-${data.aws_eks_cluster.cluster.version}-v${var.min_ami_release_date}*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } +} + diff --git a/modules/sage-aws-k8s-node-autoscaler/main.tf b/modules/sage-aws-k8s-node-autoscaler/main.tf index 18648828..3dc9e1a9 100644 --- a/modules/sage-aws-k8s-node-autoscaler/main.tf +++ b/modules/sage-aws-k8s-node-autoscaler/main.tf @@ -114,6 +114,7 @@ module "ocean-aws-k8s" { subnet_ids = var.single_az ? [var.private_vpc_subnet_ids[0]] : var.private_vpc_subnet_ids worker_instance_profile_arn = aws_iam_instance_profile.profile.arn security_groups = [var.node_security_group_id] + ami_id = data.aws_ami.eks_worker_al2023.id is_aggressive_scale_down_enabled = true max_scale_down_percentage = 33 tags = var.tags diff --git a/modules/sage-aws-k8s-node-autoscaler/variables.tf b/modules/sage-aws-k8s-node-autoscaler/variables.tf index adbe0837..ef6bb4e7 100644 --- a/modules/sage-aws-k8s-node-autoscaler/variables.tf +++ b/modules/sage-aws-k8s-node-autoscaler/variables.tf @@ -54,3 +54,8 @@ variable "single_az" { description = "Single AZ" type = bool } + +variable "min_ami_release_date" { + description = "Minimum AL2023 EKS-optimized AMI release date (YYYYMMDD). Acts as a floor for the aws_ami name-prefix filter; Spot Ocean uses the resolved AMI ID for new node launches." + type = string +}