Protect your Kubernetes data plane hardening
This page describes how to use Microsoft Defender for Cloud's set of security recommendations dedicated to Kubernetes data plane hardening.
Tip
For a list of the security recommendations that might appear for Kubernetes clusters and nodes, see the Container recommendations of the recommendations reference table.
Set up your workload protection
Microsoft Defender for Cloud includes a bundle of recommendations that are available once you've installed the Azure Policy add-on for Kubernetes or extensions.
Prerequisites
- Add the Required FQDN/application rules for Azure policy.
- (For non AKS clusters) Connect an existing Kubernetes cluster to Azure Arc.
Enable Kubernetes data plane hardening
When you enable Microsoft Defender for Containers, Azure Kubernetes Service clusters, and Azure Arc enabled Kubernetes clusters (Preview) protection are both enabled by default. You can configure your Kubernetes data plane hardening, when you enable Microsoft Defender for Containers.
To enable Azure Kubernetes Service clusters and Azure Arc enabled Kubernetes clusters (Preview):
Sign in to the Azure portal.
Navigate to Microsoft Defender for Cloud > Environment settings.
Select the relevant subscription.
On the Defender plans page, ensure that Containers is toggled to On.
Select Configure.
On the Advanced configuration page, toggle each relevant component to On.
Select Save.
Configure Defender for Containers components
If you disabled any of the default protections when you enabled Microsoft Defender for Containers, you can change the configurations and reenable them.
To configure the Defender for Containers components:
Sign in to the Azure portal.
Navigate to Microsoft Defender for Cloud > Environment settings.
Select the relevant subscription.
In the Monitoring coverage column of the Defender for Containers plan, select Settings.
Ensure that Microsoft Defenders for Containers components (preview) is toggled to On.
Select Edit configuration.
On the Advanced configuration page, toggle each relevant component to On.
Select Confirm.
Deploy the add-on to specified clusters
You can manually configure the Kubernetes data plane hardening add-on, or extension protection through the Recommendations page. This can be accomplished by remediating the Azure Policy add-on for Kubernetes should be installed and enabled on your clusters
recommendation, or Azure policy extension for Kubernetes should be installed and enabled on your clusters
.
To Deploy the add-on to specified clusters:
From the recommendations page, search for the recommendation
Azure Policy add-on for Kubernetes should be installed and enabled on your clusters
, orAzure policy extension for Kubernetes should be installed and enabled on your clusters
.Tip
The recommendation is included in five different security controls and it doesn't matter which one you select in the next step.
From any of the security controls, select the recommendation to see the resources on which you can install the add-on.
Select the relevant cluster, and Remediate.
View and configure the bundle of recommendations
Approximately 30 minutes after the add-on installation completes, Defender for Cloud shows the clusters’ health status for the following recommendations, each in the relevant security control as shown:
Note
If you're installing the add-on for the first time, these recommendations will appear as new additions in the list of recommendations.
Tip
Some recommendations have parameters that must be customized via Azure Policy to use them effectively. For example, to benefit from the recommendation Container images should be deployed only from trusted registries, you'll have to define your trusted registries.
If you don't enter the necessary parameters for the recommendations that require configuration, your workloads will be shown as unhealthy.
Recommendation name Security control Configuration required Container CPU and memory limits should be enforced Protect applications against DDoS attack Yes Container images should be deployed only from trusted registries Remediate vulnerabilities Yes Least privileged Linux capabilities should be enforced for containers Manage access and permissions Yes Containers should only use allowed AppArmor profiles Remediate security configurations Yes Services should listen on allowed ports only Restrict unauthorized network access Yes Usage of host networking and ports should be restricted Restrict unauthorized network access Yes Usage of pod HostPath volume mounts should be restricted to a known list Manage access and permissions Yes Container with privilege escalation should be avoided Manage access and permissions No Containers sharing sensitive host namespaces should be avoided Manage access and permissions No Immutable (read-only) root filesystem should be enforced for containers Manage access and permissions No Kubernetes clusters should be accessible only over HTTPS Encrypt data in transit No Kubernetes clusters should disable automounting API credentials Manage access and permissions No Kubernetes clusters should not use the default namespace Implement security best practices No Kubernetes clusters should not grant CAPSYSADMIN security capabilities Manage access and permissions No Privileged containers should be avoided Manage access and permissions No Running containers as root user should be avoided Manage access and permissions No
For recommendations with parameters that need to be customized, you will need to set the parameters:
To set the parameters:
Sign in to the Azure portal.
Navigate to Microsoft Defender for Cloud > Environment settings.
Select the relevant subscription.
From Defender for Cloud's menu, select Security policy.
Select the relevant assignment. The default assignment is
ASC default
.Open the Parameters tab and modify the values as required.
Select Review + save.
Select Save.
To enforce any of the recommendations:
Open the recommendation details page and select Deny:
This will open the pane where you set the scope.
When you've set the scope, select Change to deny.
To see which recommendations apply to your clusters:
Open Defender for Cloud's asset inventory page and use the resource type filter to Kubernetes services.
Select a cluster to investigate and review the available recommendations available for it.
When viewing a recommendation from the workload protection set, you'll see the number of affected pods ("Kubernetes components") listed alongside the cluster. For a list of the specific pods, select the cluster and then select Take action.
To test the enforcement, use the two Kubernetes deployments below:
One is for a healthy deployment, compliant with the bundle of workload protection recommendations.
The other is for an unhealthy deployment, non-compliant with any of the recommendations.
Deploy the example .yaml files as-is, or use them as a reference to remediate your own workload (step VIII).
Healthy deployment example .yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-healthy-deployment
labels:
app: redis
spec:
replicas: 3
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
annotations:
container.apparmor.security.beta.kubernetes.io/redis: runtime/default
spec:
containers:
- name: redis
image: <customer-registry>.azurecr.io/redis:latest
ports:
- containerPort: 80
resources:
limits:
cpu: 100m
memory: 250Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
---
apiVersion: v1
kind: Service
metadata:
name: redis-healthy-service
spec:
type: LoadBalancer
selector:
app: redis
ports:
- port: 80
targetPort: 80
Unhealthy deployment example .yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-unhealthy-deployment
labels:
app: redis
spec:
replicas: 3
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: redis
image: redis:latest
ports:
- containerPort: 9001
hostPort: 9001
securityContext:
privileged: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsUser: 0
capabilities:
add:
- NET_ADMIN
volumeMounts:
- mountPath: /test-pd
name: test-volume
readOnly: true
volumes:
- name: test-volume
hostPath:
# directory location on host
path: /tmp
---
apiVersion: v1
kind: Service
metadata:
name: redis-unhealthy-service
spec:
type: LoadBalancer
selector:
app: redis
ports:
- port: 6001
targetPort: 9001
Next steps
In this article, you learned how to configure Kubernetes data plane hardening.
For other related material, see the following pages:
Feedback
Submit and view feedback for