Skip to content

Security overhaul: Update to Kubernetes 1.28, AWS Load Balancer Controller v2.6.2, PostgreSQL 15.4, and add automated security checks #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Security overhaul: Update to Kubernetes 1.28, AWS Load Balancer Controller v2.6.2, PostgreSQL 15.4, and add automated security checks #2

wants to merge 3 commits into from

Conversation

Copilot
Copy link

@Copilot Copilot AI commented Sep 18, 2025
edited
Loading

This PR addresses critical security vulnerabilities in the aws-ms-eks-reference repository by updating all outdated components to their latest secure versions and implementing automated security monitoring.

Security Issues Fixed

Critical Version Updates

  • Kubernetes: Updated from extremely outdated 1.14/1.15 (2019) to current 1.28
  • PostgreSQL: Updated from vulnerable 9.6.16/11.6 to latest supported 15.4/14.9/13.13
  • Python Runtime: Updated Lambda functions from deprecated python3.7 to python3.11
  • Load Balancer Controller: Replaced deprecated aws-alb-ingress-controller v1.1.4 with modern AWS Load Balancer Controller v2.6.2

IAM Security Hardening

  • Fixed commented-out StringEquals conditions in ALB controller IAM role
  • Added proper OIDC authentication validation with sub and aud claims
  • Updated IAM policy references to current AWS Load Balancer Controller policies

Supply Chain Security

  • Replaced insecure latest tag URLs in monitoring manifests with pinned version v1.247357.0b251975
  • Updated all documentation references to use current component versions
  • Added validation to prevent hardcoded secrets in templates

Security Automation Added

GitHub Actions Workflows

Added comprehensive security automation in .github/workflows/security-checks.yml:

  • CloudFormation template linting and security analysis
  • Automated version checking for outdated components
  • Secret detection in code and templates
  • Security review reminders on PRs modifying CloudFormation

Maintenance Tools

  • Security Checklist (.security-checklist.md): Monthly maintenance tasks and compliance checks
  • Enhanced Documentation: Added security best practices section to README
  • Tool Integration: Instructions for cfn-lint, cfn-nag, and ECR scanning

Validation

All CloudFormation templates validated successfully with cfn-lint. The changes maintain backward compatibility while dramatically improving the security posture:

cfn-lint cloudformation/*.yml cloudformation/*.yaml
# All templates pass validation with only minor warnings

Impact

This update resolves years of accumulated security debt and establishes processes to prevent future vulnerabilities. The repository now follows current AWS security best practices with automated monitoring to maintain security going forward.

Before: Using components from 2019 with multiple known vulnerabilities
After: Current, secure versions with automated security monitoring

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits September 18, 2025 22:38
@Copilot @sukrit007
Apply critical security updates: K8s 1.28, Python 3.11, PostgreSQL 15…
caafcd6 
….4, AWS Load Balancer Controller v2.6.2

Co-authored-by: sukrit007 <[email protected]>
@Copilot @sukrit007
Add comprehensive security automation: GitHub Actions workflows, secu…
24eb61a 
…rity checklist, and updated documentation

Co-authored-by: sukrit007 <[email protected]>
@Copilot Copilot AI changed the title [WIP] Apply Security Updates Security overhaul: Update to Kubernetes 1.28, AWS Load Balancer Controller v2.6.2, PostgreSQL 15.4, and add automated security checks Sep 18, 2025
@Copilot Copilot AI requested a review from sukrit007 September 18, 2025 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sukrit007 sukrit007 Awaiting requested review from sukrit007

Assignees

@sukrit007 sukrit007

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Copilot @sukrit007