Secure azure public AKS cluster

Question

I have deployed AKS cluster using : https://learn.microsoft.com/en-us/azure/aks/tutorial-kubernetes-deploy-cluster?tabs=azure-cli

I have 54% secure score & I am getting no. of security alerts in the Microsoft defender for cloud through my security engineer, such as:

1. Internet exposed Kubernetes pod is running a container with high severity vulnerabilities.
2. Container registry images should have vulnerability findings resolved
3. Container images should be deployed from trusted registries only
4. Running container images should have vulnerability findings resolved
5. Least privileged Linux capabilities should be enforced for containers
6. Immutable (read-only) root filesystem should be enforced for containers
7. Running containers as root user should be avoided
8. Container with privilege escalation should be avoided
9. Storage account public access should be disallowed
10. Guest accounts with owner permissions on Azure resources should be removed
11. Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method
12. Kubernetes API server should be configured with restricted access
13. Services should listen on allowed ports only
14. Container registries should use private link
15. Container registries should not allow unrestricted network access
16. Storage account should use a private link connection
17. Storage accounts should restrict network access using virtual network rules
18. Firewall should be enabled on Key Vault
19. Access to storage accounts with firewall and virtual network configurations should be restricted
20. Subnets should be associated with a network security group
21. [Enable if required] Container registries should be encrypted with a customer-managed key (CMK)
22. [Enable if required] Storage accounts should use customer-managed key (CMK) for encryption
23. [Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
24. Kubernetes clusters should disable automounting API credentials

I am very new to Kubernetes. I am looking at securing the cluster, but unable to get what things to be prioritize. Can someone help me with the above points or any reference links to execute using cli or terraform.

It would be a great help for me if any links to terraform code in Github which takes care of everything for the public AKS cluster.

Answer 1

Hello John,

Thanks for reaching out and I hope you are doing well.

I am not aware of any Terraform code in Github to automate security for Public AKS clusters, however, we have our own AKS Secuirty best-practices that can help mitigate some of those warnings as there might be custom applications and configurations that should be handled by 3rd party providers:

https://learn.microsoft.com/en-US/azure/aks/best-practices#security

https://learn.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security

https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-kubernetes-service-aks-security-baseline

Github has some interesting links as well, following example applies to Private AKS clusters though:

https://github.com/knoldus/AKS_cluster_terraform_module_with_security_and_compliance_rules

Please "Accept the answer" if the information helped you. This will help us and others in the community as well. Feel free to reply with any other questions or concerns.

Hope this helps!