Add environment checker to skip unsupported DaemonSet findings in AWS Fargate environments #965
Description
Enhancement Needed
The following Kubernetes compliance findings are currently being raised in environments that use Amazon EKS on AWS Fargate, even though these workload types are not supported by Fargate:
• DaemonSet containers should not have privileged access
• DaemonSet containers should not allow privilege escalation
• DaemonSet containers should not run with host network access
• DaemonSet containers should run with a read-only root file system
• DaemonSet containers should not run with root privileges
• DaemonSet containers should have a CPU limit
• DaemonSet containers should have a memory limit
• DaemonSet containers should have a memory request
• Seccomp profile is set to docker/default in DaemonSet definition
These findings are invalid in Fargate environments because Fargate does not support DaemonSets or workloads that require direct node access.
Potential Solution
Implement a checker that determines whether the cluster or namespace is Fargate-based before running DaemonSet-related rules.
Expected Outcome
• DaemonSet-related checks are suppressed automatically in Fargate environments.
• Reports correctly distinguish between EC2-based EKS nodes (valid checks) and Fargate-only clusters (non-applicable checks).
• Reduces false positives and aligns output with AWS platform capabilities.