Framework/Configurations/SVT/Services/KubernetesService.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
{
  "FeatureName": "KubernetesService",
  "Reference": "aka.ms/azsktcp/KubernetesService",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_KubernetesService_Deploy_Enable_Cluster_RBAC",
      "Description": "Cluster RBAC must be enabled in Kubernetes Service",
      "Id": "KubernetesService110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckClusterRBAC",
      "Rationale": "Enabling RBAC in a cluster lets you finely control access to various operations at the cluster/node/pod/namespace scopes for different stakeholders. Without RBAC enabled, every user has full access to the cluster which is a violation of the principle of least privilege. Note that Azure Kubernetes Service does not currently support other mechanisms to define authorization in Kubernetes (such as Attribute-based Access Control authorization or Node authorization).",
      "Recommendation": "RBAC flag must be enabled while creating the Kubernetes Service. Existing non-RBAC enabled Kubernetes Service clusters cannot currently be updated for RBAC use. Refer: https://docs.microsoft.com/en-us/azure/aks/aad-integration.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Deploy",
        "RBAC",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_AuthN_Enabled_AAD",
      "Description": "AAD should be enabled in Kubernetes Service",
      "Id": "KubernetesService120",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckAADEnabled",
      "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control.All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/aks/aad-integration to configure AAD in Kubernetes Service.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthN",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "KubernetesService130",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Remove any excessive privileges granted on the Kubernetes Service. Run command: Remove-AzRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_AuthN_Dont_Grant_ClusterAdmin_Permission_Developer",
      "Description": "Do not directly or indirectly grant cluster admin level access to developers",
      "Id": "KubernetesService140",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Cluster admin have full privileges to perform critical operations on Kubernetes cluster. Granting minimum required access ensures that developer are granted just enough permissions to perform their tasks.",
      "Recommendation": "Developer should be assigned 'Azure Kubernetes Service Cluster User Role' to Kubernetes Service. If you modify an existing role or create a custom role, be careful about operations that are granted to a developer. For example, if a developer can run the 'List clusterAdmin credential' operation, they can elevate access to cluster admin level.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthN",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_Deploy_Use_Latest_Version",
      "Description": "The latest version of Kubernetes should be used",
      "Id": "KubernetesService150",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckKubernetesVersion",
      "Rationale": "Running on older versions could mean you are not using latest security classes. Usage of such old classes and types can make your application vulnerable.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/aks/upgrade-cluster.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "Deploy",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_DP_Review_Image_Sources",
      "Description": "Make sure container images (including nested images) deployed in Kubernetes are from a trustworthy source",
      "Id": "KubernetesService160",
      "ControlSeverity": "High",
      "Enabled": true,
      "Automated": "No",
      "MethodName": "",
      "Rationale": "If a Kubernetes Service runs an untrusted container image (or an untrusted nested image), it can violate integrity of the infrastructure and lead to all types of security attacks.",
      "Recommendation": "Ensure that the source(s) for the container images comprising the Kubernetes Service are trustworthy. Review the repository locations specified in the YAML files for your environment and confirm that those locations will not have tampered/insecure images.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "KubernetesService"
      ]
    },
    {
      "ControlID": "Azure_KubernetesService_SI_Dont_Use_Default_Namespace",
      "Description": "Do not use the default cluster namespace to deploy applications",
      "Id": "KubernetesService170",
      "ControlSeverity": "Medium",
      "Enabled": true,
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Resources/Applications in same namespace will have same access control (RBAC) policies. Users are granted permission on default namespace if no other namespace is provided in rolebindings. As a result, the permissions in the default namespace might not be appropriate if your application/workload is sensitive. It is hence better to create a separate namespace.",
      "Recommendation": "Ensure that the applications in Kubernetes are not deployed in default namespace.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "SI",
        "KubernetesService"
      ]
    },
    {
      "ControlID": "Azure_KubernetesService_DP_Store_Secrets_in_Key_Vault",
      "Description": "All Kubernetes Service secrets should be stored in Key Vault",
      "Id": "KubernetesService180",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Keeping secrets such as DB connection strings, passwords, keys, etc. in clear text can lead to easy compromise at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.",
      "Recommendation": "Refer: https://github.com/Azure/kubernetes-keyvault-flexvol for configuring Key Vault and storing secrets.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "DP",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_SI_Cluster_Node_Missing_OS_Patches",
      "Description": "All the Kubernetes cluster nodes must have all the required OS patches installed",
      "Id": "KubernetesService190",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Unpatched cluster nodes (VMs) are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.",
      "Recommendation": "Refer: https://github.com/weaveworks/kured for install patch and reboot management without impacting Kubernetes workloads.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "SI",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_AuthN_Use_POD_Identity",
      "Description": "Pod Identity must be used for accessing other AAD-protected resources from the Kubernetes Service.",
      "Id": "KubernetesService200",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Pod Identity allows your Kubernetes Service to easily access other AAD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and eliminates the need to provision/manage/rotate any secrets thus reducing the overall risk.",
      "Recommendation": "Refer: https://github.com/Azure/aad-pod-identity to configure Pod Identity in your Kubernetes Cluster.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthN",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_SI_Review_Kube_Advisor_Issues",
      "Description": "Issues/recommendations provided by kube advisor should be reviewed periodically",
      "Id": "KubernetesService210",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "The kube-advisor tool scans Kubernets cluster and reports on issues related to CPU and memory resource consumption limits. If resource quotas are not applied then by default pod consumes all the CPU and memory available, which impacts availability of another POD/application.",
      "Recommendation": "Refer: https://github.com/Azure/kube-advisor to scan Kubernetes cluster using Kube Advisor.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "SI",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_Audit_Enable_Monitoring",
      "Description": "Monitoring must be enabled for Azure Kubernetes Service",
      "Id": "KubernetesService220",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckMonitoringConfiguration",
      "Rationale": "Auditing enables log collection of important system events pertinent to security. Regular monitoring of audit logs can help to detect any suspicious and malicious activity early and respond in a timely manner.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-overview.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_NetSec_Dont_Open_Management_Ports",
      "Description": "Do not leave management ports open on Kubernetes nodes unless required",
      "Id": "KubernetesService230",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckNodeOpenPorts",
      "Rationale": "Open remote management ports expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.",
      "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22) --> Click 'Deny' under Action --> Click Save.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "NetSec",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_DP_Encrypt_Data_In_Transit",
      "Description": "Data transit inside/across Kubernetes must use encrypted channel",
      "Id": "KubernetesService240",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/aks/ingress-tls.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_Audit_Enable_Diagnostics_Log",
      "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",
      "Id": "KubernetesService250",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckDiagnosticsSettings",
      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
      "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "Diagnostics",
        "KubernetesService"
      ],
      "Enabled": true
    }
  ]
}