cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure AKS Security Hardening

Shashwat3105
Brass Contributor

‎Oct 15 2022 11:37 PM

‎Oct 15 2022 11:37 PM

Azure AKS Security Hardening

Hello Folks !!

 

I am back with a new blog . This time I will try give a brief overview about Azure AKS Security and Baseline.  Lets gooo !!!!

 

What is Azure AKS - 

 

Azure Kubernetes Service (AKS) offers the quickest way to start developing and deploying cloud-native apps in Azure, datacenters, or at the edge with built-in code-to-cloud pipelines and guardrails. It is mostly used as a scalable platforms nowadays.  Current Application requirement includes the scaling , performing and most importantly zero downtime , which is covered by AKS service of Azure. 
Containerization of any application in AKS is the best way to reduce downtime and cost optimization of your infrastructure.

 

AKS features and benefits

The primary benefits of AKS are flexibility, automation and reduced management overhead for administrators and developers. For example, AKS automatically configures all of the Kubernetes nodes  that control and manage the worker nodes during the deployment process and handles a range of other tasks, including Azure Active Directory (AD ) integration, connections to monitoring services and configuration of advanced networking features such as HTTP application routing. Users can monitor a cluster directly or view all clusters with Azure Monitor.

 

Now having a brief overview of Azure AKS , lets move on Azure security features or we can call it as Azure Baseline for security of AKS , that it offer's - 

 


Security related to AKS

 

Related to Networking - 

 

 By default, a network security group and route table are automatically created with the creation of a Microsoft Azure Kubernetes Service (AKS) cluster. AKS automatically modifies network security groups for appropriate traffic flow as services are created with load balancers, port mappings, or ingress routes. 

 

Use AKS network policies to limit network traffic by defining rules for ingress and egress traffic between Linux pods in a cluster based on choice of namespaces and label selectors. Networking allows the filtering of traffic to not only to AKS but also entering it to current infrastructure. Since mentioned about the namespaces in AKS , it is a whole virtual environment that is separated within Kubernetes cluster , we can configure alert based networking rules for particular namespace also.

 

 

2) Using the traditional method ( i.e. auth from AD or role creation) for AKS - 

 

Kubernetes includes security components, such as pods , and nodes security . Meanwhile, Azure includes components like Active Directory, Azure Policy, Azure Key Vault, and orchestrated cluster upgrades. AKS combines these security components to:

  • Provide a complete Authentication and Authorization story.
  • Leverage AKS Built-in Azure Policy to secure your applications.
  • Authenticating with the password and keys for developers using Azure key vault
  • .Setting up Azure policy like conditional access policy for better security for Azure updates.

 

3) Using Azure Application Gateway and WAF - 

 

Use an Azure Application Gateway enabled Web Application Firewall (WAF) in front of an AKS cluster to provide an additional layer of security by filtering the incoming traffic to your web applications. 

 Web Application firewall uses a set of rules for filtering out the traffic , which we will get injected into your cluster or nodes. 

 

Also Application gateway act as proxy for all the traffic , you can also configure route table for routing of the traffic , when the traffic injects inside the application gateway.
Application gateway also provides an external IP , which helps to not expose our main ip in which our application or pods are running. 

Also using an  API gateway for authentication, authorization, and  monitoring for APIs used in your AKS environment. It acts as a front door to the microservices, , and decreases the complexity of your microservices by removing the burden of handling cross cutting concerns.


4) Configure central security log management -    

 

Enable audit logs from Azure Kubernetes Services (AKS) master components, kube-apiserver and kube-controller-manager, which are provided as a managed service.

  • kube-auditaksService: The display name in audit log for the control plane operation 

  • masterclient: This is the display name in audit log for MasterClientCertificate, the certificate that you get from aks get-credentials

  • node client: The display name for Client Certificate, which is used by agent nodes. 

You can also export these logs to Log Analytics .  Use Log Analytics workspaces to query and perform analytics. Use Azure blob storage for storing of the logs and archiving them with various tiers options in Azure.

 

5) Locations approving in Azure - 

 

 Use Conditional Access Named Locations to allow access to Azure Kubernetes Service (AKS) clusters from only specific logical groupings of IP address ranges or countries/regions. This requires integrated authentication for AKS with Azure Active Directory (Azure AD).

 

Limit the access to the AKS API server from a limited set of IP address ranges, as it receives requests to perform actions in the cluster to create resources or scale the number of nodes.

 

If you want to know how you can configure this named locations , you can go to this Azure link -  

https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-nam...

 

 

6) Isolate the system which are storing data -

 

Logically isolate teams and workloads in the same cluster with Azure Kubernetes Service (AKS) to provide the least number of privileges, scoped to the resources required by each team.

Use the namespace in Kubernetes to create a logical isolation boundary. 

 

You can also implement separate subscriptions or working directory of the AKS cluster , which are containing the pods with sensitive information or any type of Database, which are prone to attacks.

 

7) Encryption of all the sensitive information

It is always good to encrypt our data that is exposable to internet in HTTPS. 

You can create an HTTPS ingress and use your own TLS certificates  for your Azure Kubernetes Service (AKS) deployments.

 

Kubernetes egress traffic is encrypted over HTTPS/TLS by default. You can review any potentially un-encrypted egress traffic from your AKS instances. This may include NTP traffic, DNS traffic, HTTP traffic for retrieving updates in some cases.

 

Here are some of the methods , for hardening and maintaining your AKS cluster security. 
There are also many third party applications which you can integrate with your AKS cluster , but I will recommend to you use them wisely . Go through there files and changes that they will make to your cluster.

Thanks !!!!!

 

Labels:
1,990 Views
2 Likes
0 Replies
Reply
0 Replies