Kubernetes is a complex system with multiple components working in tandem. Though AKS is a managed Kubernetes offering, it still requires operators to take care of the security across the components. In this context, the document outlines the various security measures recommended across the Host, Cluster, API Server, Pods, and the supply chain for images.
Authentication and Authorization are the primary mechanism to restrict access to a cluster. It is essential to use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
Use TLS for all ingress definitions through a trusted CA like Let's Encrypt
Kubernetes cluster security involves securing the host, cluster, and pods. Each of these layers should be hardened. Apart from it, the container image supply chain should be secured by scanning for known vulnerabilities and misconfigurations.
Host Level has a limitation with AKS cluster on VMSS as there is a dependency on Log Analytics agent which is currently not supported in this setup. An enhanced daemonset approach will be released soon to address this limitation.
Static image scanning for all images in ACR. Image scans are performed by Qualys and includes all images when they’re pushed to the registry, imported into the registry, or pulled within the last 30 days.
Shift left in image scanning by integrating scans in the CI/CD pipelines. Azure Defender's CI/CD scanning is powered by Aqua Trivy
Task available for GitHub workflows. ADO tasks are in the roadmap
Continuous image scanning and Drift detection is in development
Use opensource Falco or other commercial offerings for immediate needs
Automation of loading the AppArmor and SecComp profiles should ensure that they are applied to the nodes before any pods get scheduled. Consider a daemonset approach to overcome the race condition.
Opt out of automounting API credentials for a service account by setting automountServiceAccountToken: false on the service account
Kubernetes emits variety of logs across various components, and it is essential to log, monitor and alert on all of these to identify potential threats. Monitoring the logs ensures that the services are secure and operating as intended.
Effective logging and monitoring is essential to secure any environment, and enabling Container Insights on an AKS cluster provides the required observability.
Create custom alerts as required. Refer sample log queries for table information
Securing the complete surface of the Kubernetes is essential and the above guidance provides a decent coverage. Though most of the concepts are specific to azure services, the security considerations are generic and applies to any Kubernetes distribution. Also, the concepts can be implemented through third party/OSS components in an AKS cluster