title #10
title #10
Conversation
![bridgecrew-dev[bot]](https://avatars.githubusercontent.com/in/114125?s=60&v=4){kind=small}
| @@ -7,6 +7,7 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
| type = "SystemAssigned" | |||
| } | |||
| default_node_pool { | |||
| only_critical_addons_enabled = true | |||
There was a problem hiding this comment.
Ensure AKS uses disk encryption set
Resource: azurerm_kubernetes_cluster.k8s_cluster | Bridgecrew ID: BC_AZR_KUBERNETES_8 | Checkov ID: CKV_AZURE_117
How to Fix
resource "azurerm_kubernetes_cluster" "example" {
...
+ disk_encryption_set_id = "someId"
}Description
Disk encryption is a security measure that encrypts the data on a disk to protect it from unauthorized access or tampering.
When disk encryption is enabled for AKS, it encrypts the data on the disks that are used by the nodes in your cluster.
This can help to protect your data from being accessed or modified by unauthorized users, even if the disks are physically stolen or the data is accessed from an unauthorized location.
| @@ -7,6 +7,7 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
| type = "SystemAssigned" | |||
| } | |||
| default_node_pool { | |||
| only_critical_addons_enabled = true | |||
There was a problem hiding this comment.
Ensure AKS uses Azure policies add-on
Resource: azurerm_kubernetes_cluster.k8s_cluster | Bridgecrew ID: BC_AZR_KUBERNETES_7 | Checkov ID: CKV_AZURE_116
How to Fix
resource "azurerm_kubernetes_cluster" "example" {
...
+ addon_profile {
+ azure_policy {
+ enabled = true
}
}
}Description
Azure Policy Add-on for AKS extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
| @@ -7,6 +7,7 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
| type = "SystemAssigned" | |||
| } | |||
| default_node_pool { | |||
| only_critical_addons_enabled = true | |||
There was a problem hiding this comment.
Ensure Kubernetes dashboard is disabled
Resource: azurerm_kubernetes_cluster.k8s_cluster | Bridgecrew ID: BC_AZR_KUBERNETES_5 | Checkov ID: CKV_AZURE_8
How to Fix
{
"...
addon_profile {
kube_dashboard {
enabled = false
}
}
...",
}Description
The Terraform provider for Azure provides the capability to disable the Kubernetes dashboard on an AKS cluster.
This is achieved by providing the Kubernetes dashboard as an AKS add-on like the Azure Monitor for containers integration, AKS virtual nodes, or HTTP application routing.
The dashboard add-on is disabled by default for all new clusters created on Kubernetes 1.18 or greater.
In mid-2019 Tesla was hacked and their Kubernetes dashboard was open to the internet.
Hackers browsed around and found credentials, eventually managing to deploy pods running bitcoin mining software.
We recommend you disable the Kubernetes dashboard to prevent the need to manage its individual access interface, eliminating it as an attack vector.
| @@ -7,6 +7,7 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
| type = "SystemAssigned" | |||
| } | |||
| default_node_pool { | |||
| only_critical_addons_enabled = true | |||
There was a problem hiding this comment.
Ensure Azure AKS enable RBAC is enforced
Resource: azurerm_kubernetes_cluster.k8s_cluster | Bridgecrew ID: BC_AZR_KUBERNETES_2 | Checkov ID: CKV_AZURE_5
How to Fix
resource "azurerm_kubernetes_cluster" "pike" {
...
+ role_based_access_control_enabled = true
...
}Description
AKS can be configured to use Azure Active Directory (AD) and Kubernetes Role-based Access Control (RBAC).
RBAC is designed to work on resources within your AKS clusters.
With RBAC, you can create a role definition that outlines the permissions to be applied.
A user or group is then assigned this role definition for a particular scope, which could be an individual resource, a resource group, or across the subscription.
We recommend you sign in to an AKS cluster using an Azure AD authentication token and configure Kubernetes RBAC.
This will limit access to cluster resources based a user's identity or group membership.
Benchmarks
- CIS AZURE V1.1 8.5
- CIS AZURE V1.3 8.5
| @@ -7,6 +7,7 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
| type = "SystemAssigned" | |||
| } | |||
| default_node_pool { | |||
| only_critical_addons_enabled = true | |||
There was a problem hiding this comment.
Ensure AKS cluster network policies are enforced
Resource: azurerm_kubernetes_cluster.k8s_cluster | Bridgecrew ID: BC_AZR_KUBERNETES_4 | Checkov ID: CKV_AZURE_7
How to Fix
resource "azurerm_kubernetes_cluster" "example" {
...
network_profile {
+ network_policy="azure"
}
...
}Description
Network policy options in AKS include two ways to implement a network policy.
You can choose between Azure Network Policies or Calico Network Policies.
In both cases, the underlying controlling layer is based on Linux IPTables to enforce the specified policies.
Policies are translated into sets of allowed and disallowed IP pairs.
These pairs are then programmed as IPTable rules.
The principle of least privilege should be applied to how traffic can flow between pods in an AKS cluster.
We recommend you select a preferred network policy framework and enforce granular usage-based policies on the architecture and business logic of you applications.
| @@ -7,6 +7,7 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
| type = "SystemAssigned" | |||
| } | |||
| default_node_pool { | |||
| only_critical_addons_enabled = true | |||
There was a problem hiding this comment.
Ensure AKS cluster upgrade channel is chosen
Resource: azurerm_kubernetes_cluster.k8s_cluster | Bridgecrew ID: BC_AZR_NETWORKING_66 | Checkov ID: CKV_AZURE_171
How to Fix
resource "azurerm_kubernetes_cluster" "example" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
+ automatic_channel_upgrade = "stable"
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
}
identity {
type = "SystemAssigned"
}
tags = {
Environment = "production"
}
}| @@ -7,6 +7,7 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
| type = "SystemAssigned" | |||
| } | |||
| default_node_pool { | |||
| only_critical_addons_enabled = true | |||
There was a problem hiding this comment.
Ensure ephemeral disks are used for OS disks
Resource: azurerm_kubernetes_cluster.k8s_cluster | Bridgecrew ID: BC_AZR_KUBERNETES_17 | Checkov ID: CKV_AZURE_226
How to Fix
resource "azurerm_kubernetes_cluster" "example" {
...
default_node_pool {
...
os_disk_type = "Ephemeral"
...
}
...
}Description
This policy checks if ephemeral disks are being used for Operating System (OS) disks in Azure. The use of ephemeral disks for OS disks has several benefits including improved read/write speeds and reduced costs, as they are directly attached to the virtual machine and are not billed separately. Not using ephemeral disks could lead to slower application performance and increased costs.
| @@ -7,6 +7,7 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
| type = "SystemAssigned" | |||
| } | |||
| default_node_pool { | |||
| only_critical_addons_enabled = true | |||
There was a problem hiding this comment.
Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters
Resource: azurerm_kubernetes_cluster.k8s_cluster | Bridgecrew ID: BC_AZR_GENERAL_98 | Checkov ID: CKV_AZURE_172
How to Fix
resource "azurerm_kubernetes_cluster" "example" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
key_vault_secrets_provider {
+ secret_rotation_enabled = true
}
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
}
identity {
type = "SystemAssigned"
}
tags = {
Environment = "production"
}
}Description
Secrets auto-rotation is crucial for maintaining a secure AKS environment. The Secrets Store CSI Driver for AKS should be configured to auto-rotate secrets. This ensures that if a secret is compromised, it will be rotated according to policy and limit the damage a bad actor can do.
This policy checks that auto-rotation of Secrets Store CSI Driver secrets is enabled for AKS clusters.
| @@ -7,6 +7,7 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
| type = "SystemAssigned" | |||
| } | |||
| default_node_pool { | |||
| only_critical_addons_enabled = true | |||
There was a problem hiding this comment.
Ensure that the AKS cluster encrypt temp disks, caches, and data flows
Resource: azurerm_kubernetes_cluster.k8s_cluster | Bridgecrew ID: BC_AZR_KUBERNETES_18 | Checkov ID: CKV_AZURE_227
How to Fix
resource "azurerm_kubernetes_cluster" "example" {
...
default_node_pool {
+ enable_host_encryption = true
...
}
}Description
This policy checks to verify if the Azure Kubernetes Service (AKS) cluster encrypts temporary disks, caches, and data flows. It's bad not to have encryption because it can lead to unauthorized data access or data loss. Encrypting these disk resources ensures that all data is unreadable by anyone without the correct encryption key, thereby mitigating risks related to data confidentiality and integrity. Without such a policy in place, sensitive data might be exposed to potential threats, making the system vulnerable to harmful security breaches.
| @@ -7,6 +7,7 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
| type = "SystemAssigned" | |||
| } | |||
| default_node_pool { | |||
| only_critical_addons_enabled = true | |||
There was a problem hiding this comment.
Ensure AKS enables private clusters
Resource: azurerm_kubernetes_cluster.k8s_cluster | Bridgecrew ID: BC_AZR_KUBERNETES_6 | Checkov ID: CKV_AZURE_115
How to Fix
resource "azurerm_kubernetes_cluster" "example" {
...
+ private_cluster_enabled = true
}Description
Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only.
This is a common requirement in many regulatory and industry compliance standards.
Bridgecrew has created this PR to fix one or more resources in the infrastructure files of this project.
Changes included in this PR:
/terraform/azure/aks.tf:azurerm_kubernetes_cluster.k8s_clusterBelow are the Policies fixed in this PR:
For more information:
View this repository's Supply Chain Graph👀