apiVersion: v1
kind: Namespace
metadata:
  name: node-configuration-daemonset
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-patch-installer
rules:
  - apiGroups:
      - policy
    resources:
      - podsecuritypolicies
    verbs:
      - use
    resourceNames:
      - node-patch-installer
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: node-patch-installer
  namespace: node-configuration-daemonset
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: node-patch-installer
  namespace: node-configuration-daemonset
roleRef:
  kind: ClusterRole
  name: node-patch-installer
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: node-patch-installer
  namespace: node-configuration-daemonset
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: node-patch-installer
spec:
  privileged: true
  hostPID: true
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: node-patch-installer-script
  namespace: node-configuration-daemonset
data:
  install.sh: |
    #!/bin/bash

    OS_TYPE=`uname -a`
    VERSION_AMZN="1.3-5" #Change for package versions
    PKG_AL1="log4j-cve-2021-44228-hotpatch-$VERSION_AMZN.amzn1.noarch"
    PKG_AL2="log4j-cve-2021-44228-hotpatch-$VERSION_AMZN.amzn2.noarch"
    VERSION_DEBIAN="1.3.5" #Change for package versions
    PKG_DEBIAN="log4j-cve-2021-44228-hotpatch"
    ARCH_DEBIAN="all"
    STATUS_OK_DEBIAN="install ok installed"

    check_file() {
        echo "Detecting patch file: $1 ..."
        if test -f "$1"; then
            echo "$1 exists."
        else
            echo "ERROR: $1 does not exist."
            exit 1
        fi
    }

    install_rpm() {
        echo "Installing $1 ..."
        eval "rpm -Uvh $1"
    }

    install_dpkg() {
        echo "Installing $1 ..."
        # eval "dpkg -i $1"
        curl https://apt.repo.amazonlinux.com/amazon.sources -o /etc/apt/sources.list.d/amazon.sources
        curl https://apt.repo.amazonlinux.com/amazon-archive-keyring.gpg -o /usr/share/keyrings/amazon-archive-keyring.gpg
        apt update
        apt full-upgrade -y $PKG_DEBIAN
    }

    verify_rpm() {
        echo "Verifying $1 package ..."
        local OUTPUT=`eval "rpm -V $1"`
        if [[ -z $OUTPUT ]]; then
            echo "$1 installed and verified"
        else
            echo "$1 could not be verified"
            echo "$OUTPUT"
            exit 1
        fi
    }

    #Must verify package and version
    verify_dpkg() {
        echo "Verifying $1 package, version $2 ..."
        local OUTPUT=`eval "dpkg -s $1"`
        if [[ $OUTPUT =~ "Status: $STATUS_OK_DEBIAN" ]] && [[ $OUTPUT =~ "Version: $2" ]]; then
            echo "$1, version $2, installed and verified"
        else
            echo "$1, version $2,  could not be verified"
            echo "$OUTPUT"
            exit 1
        fi
    }
    
    upgrade_util-linux() {
        echo "Verifying util-linux version ..."
        local v=`yum list installed util-linux|grep 2.30.2-2.amzn2|awk '{print $2;}'|awk -F'2.30.2-2.amzn' '{print $2;}'|awk -F. '{print $3;}'`
        if [[ $v -lt 6 ]]; then
          echo "Updating util-linux ..."
          yum update -y util-linux
          yum info installed util-linux
        fi
    }
    
    echo "Detecting OS ..."
    if [[ "$OS_TYPE" =~ "amzn1" ]]; then
        echo "OS Matched amzn1 - $OS_TYPE"
        check_file "/tmp/install/$PKG_AL1.rpm"
        install_rpm "/tmp/install/$PKG_AL1.rpm"
        verify_rpm "$PKG_AL1"
    elif [[ "$OS_TYPE" =~ "amzn2" ]]; then
        PKG_TYPE="amzn2"
        echo "OS Matched amzn2 - $OS_TYPE"
        upgrade_util-linux
        check_file "/tmp/install/$PKG_AL2.rpm"
        install_rpm "/tmp/install/$PKG_AL2.rpm"
        verify_rpm "$PKG_AL2"
    elif [[ "$OS_TYPE" =~ "Debian" ]] || [[ "$OS_TYPE" =~ "Ubuntu" ]]; then
        echo "OS Matched Debian - $OS_TYPE"
        install_dpkg
        verify_dpkg "$PKG_DEBIAN" "$VERSION_DEBIAN"
    else
        echo "No OS match for $OS_TYPE"
        exit 1
    fi
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: node-patch-installer
  namespace: node-configuration-daemonset
spec:
  selector:
    matchLabels:
      job: node-patch-installer
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 33%
  template:
    metadata:
      labels:
        job: node-patch-installer
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
              - key: kubernetes.io/arch
                operator: In
                values:
                - amd64
                - arm64
              - key: eks.amazonaws.com/compute-type
                operator: NotIn
                values:
                - fargate
      hostPID: true
      restartPolicy: Always
      initContainers:
      - image: public.ecr.aws/aws-containers/kubernetes-log4j-cve-2021-44228-mitigation:v0.0.3-5
        name: node-patch-installer
        securityContext:
          privileged: true
        volumeMounts:
        - name: install-script
          mountPath: /tmp
        - name: tmp-install
          mountPath: /host
        imagePullPolicy: Always 
      volumes:
      - name: install-script
        configMap:
          name: node-patch-installer-script
      - name: tmp-install
        hostPath:
          path: /tmp/install
      serviceAccountName: node-patch-installer
      tolerations:
      - operator: Exists
      containers:
      - image: "public.ecr.aws/eks-distro/kubernetes/pause:3.6"
        name: pause
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
          readOnlyRootFilesystem: true
          capabilities:
            drop:
              - all