You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Disk encryption is a security measure that encrypts the data on a disk to protect it from unauthorized access or tampering.
When disk encryption is enabled for AKS, it encrypts the data on the disks that are used by the nodes in your cluster.
This can help to protect your data from being accessed or modified by unauthorized users, even if the disks are physically stolen or the data is accessed from an unauthorized location.
Azure Policy Add-on for AKS extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
The Terraform provider for Azure provides the capability to disable the Kubernetes dashboard on an AKS cluster.
This is achieved by providing the Kubernetes dashboard as an AKS add-on like the Azure Monitor for containers integration, AKS virtual nodes, or HTTP application routing.
The dashboard add-on is disabled by default for all new clusters created on Kubernetes 1.18 or greater.
In mid-2019 Tesla was hacked and their Kubernetes dashboard was open to the internet.
Hackers browsed around and found credentials, eventually managing to deploy pods running bitcoin mining software.
We recommend you disable the Kubernetes dashboard to prevent the need to manage its individual access interface, eliminating it as an attack vector.
AKS can be configured to use Azure Active Directory (AD) and Kubernetes Role-based Access Control (RBAC).
RBAC is designed to work on resources within your AKS clusters.
With RBAC, you can create a role definition that outlines the permissions to be applied.
A user or group is then assigned this role definition for a particular scope, which could be an individual resource, a resource group, or across the subscription.
We recommend you sign in to an AKS cluster using an Azure AD authentication token and configure Kubernetes RBAC.
This will limit access to cluster resources based a user's identity or group membership.
Network policy options in AKS include two ways to implement a network policy.
You can choose between Azure Network Policies or Calico Network Policies.
In both cases, the underlying controlling layer is based on Linux IPTables to enforce the specified policies.
Policies are translated into sets of allowed and disallowed IP pairs.
These pairs are then programmed as IPTable rules.
The principle of least privilege should be applied to how traffic can flow between pods in an AKS cluster.
We recommend you select a preferred network policy framework and enforce granular usage-based policies on the architecture and business logic of you applications.
The AKS API server receives requests to perform actions in the cluster , for example, to create resources, and scale the number of nodes.
The API server provides a secure way to manage a cluster.
To enhance cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges.
These IP ranges allow defined IP address ranges to communicate with the API server.
A request made to the API server from an IP address that is not part of these authorized IP ranges is blocked.
Disabling the local admin account for your Azure Kubernetes Service (AKS) cluster can help improve the security of your cluster.
The local admin account has full access to all resources within the cluster, and can make any changes to the cluster and its contents.
For production-grade Azure Kubernetes Service (AKS) deployments, it's recommended to use the Paid SKU to enable an Uptime SLA for the control plane components. The Uptime SLA ensures availability and redundancy for your AKS cluster, making it more resilient to outages.
This policy checks to make sure that AKS clusters are configured to use the "Standard" SKU tier, which includes the Uptime SLA.
This policy checks if ephemeral disks are being used for Operating System (OS) disks in Azure. The use of ephemeral disks for OS disks has several benefits including improved read/write speeds and reduced costs, as they are directly attached to the virtual machine and are not billed separately. Not using ephemeral disks could lead to slower application performance and increased costs.
Secrets auto-rotation is crucial for maintaining a secure AKS environment. The Secrets Store CSI Driver for AKS should be configured to auto-rotate secrets. This ensures that if a secret is compromised, it will be rotated according to policy and limit the damage a bad actor can do.
This policy checks that auto-rotation of Secrets Store CSI Driver secrets is enabled for AKS clusters.
This policy checks to verify if the Azure Kubernetes Service (AKS) cluster encrypts temporary disks, caches, and data flows. It's bad not to have encryption because it can lead to unauthorized data access or data loss. Encrypting these disk resources ensures that all data is unreadable by anyone without the correct encryption key, thereby mitigating risks related to data confidentiality and integrity. Without such a policy in place, sensitive data might be exposed to potential threats, making the system vulnerable to harmful security breaches.
Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only.
This is a common requirement in many regulatory and industry compliance standards.
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
Expand Down
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resource: azurerm_kubernetes_cluster.k8s_cluster | Bridgecrew ID:
BC_AZR_KUBERNETES_8| Checkov ID: CKV_AZURE_117How to Fix
Description
Disk encryption is a security measure that encrypts the data on a disk to protect it from unauthorized access or tampering.
When disk encryption is enabled for AKS, it encrypts the data on the disks that are used by the nodes in your cluster.
This can help to protect your data from being accessed or modified by unauthorized users, even if the disks are physically stolen or the data is accessed from an unauthorized location.