Protect your Kubernetes data plane hardening

This page describes how to use Microsoft Defender for Cloud's set of security recommendations dedicated to Kubernetes data plane hardening.

Tip

For a list of the security recommendations that might appear for Kubernetes clusters and nodes, see the Container recommendations of the recommendations reference table.

Set up your workload protection

Microsoft Defender for Cloud includes a bundle of recommendations that are available once you've installed the Azure Policy add-on for Kubernetes or extensions.

Prerequisites

Enable Kubernetes data plane hardening

When you enable Microsoft Defender for Containers, Azure Kubernetes Service clusters, and Azure Arc enabled Kubernetes clusters (Preview) protection are both enabled by default. You can configure your Kubernetes data plane hardening, when you enable Microsoft Defender for Containers.

To enable Azure Kubernetes Service clusters and Azure Arc enabled Kubernetes clusters (Preview):

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Environment settings.

  3. Select the relevant subscription.

  4. On the Defender plans page, ensure that Containers is toggled to On.

  5. Select Configure.

    Screenshot showing where on the defenders plan to go to to select the configure button.

  6. On the Advanced configuration page, toggle each relevant component to On.

    Screenshot showing the toggles used to enable or disable them.

  7. Select Save.

Configure Defender for Containers components

If you disabled any of the default protections when you enabled Microsoft Defender for Containers, you can change the configurations and reenable them.

To configure the Defender for Containers components:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Environment settings.

  3. Select the relevant subscription.

  4. In the Monitoring coverage column of the Defender for Containers plan, select Settings.

  5. Ensure that Microsoft Defenders for Containers components (preview) is toggled to On.

    Screenshot showing that Microsoft Defender for Containers is toggled to on.

  6. Select Edit configuration.

    Screenshot showing the edit configuration button.

  7. On the Advanced configuration page, toggle each relevant component to On.

    Screenshot showing each option and the toggles to enable or disable them.

  8. Select Confirm.

Deploy the add-on to specified clusters

You can manually configure the Kubernetes data plane hardening add-on, or extension protection through the Recommendations page. This can be accomplished by remediating the Azure Policy add-on for Kubernetes should be installed and enabled on your clusters recommendation, or Azure policy extension for Kubernetes should be installed and enabled on your clusters.

To Deploy the add-on to specified clusters:

  1. From the recommendations page, search for the recommendation Azure Policy add-on for Kubernetes should be installed and enabled on your clusters, or Azure policy extension for Kubernetes should be installed and enabled on your clusters.

    Recommendation **Azure Policy add-on for Kubernetes should be installed and enabled on your clusters**.

    Tip

    The recommendation is included in five different security controls and it doesn't matter which one you select in the next step.

  2. From any of the security controls, select the recommendation to see the resources on which you can install the add-on.

  3. Select the relevant cluster, and Remediate.

    Recommendation details page for Azure Policy add-on for Kubernetes should be installed and enabled on your clusters.

View and configure the bundle of recommendations

  1. Approximately 30 minutes after the add-on installation completes, Defender for Cloud shows the clusters’ health status for the following recommendations, each in the relevant security control as shown:

    Note

    If you're installing the add-on for the first time, these recommendations will appear as new additions in the list of recommendations.

    Tip

    Some recommendations have parameters that must be customized via Azure Policy to use them effectively. For example, to benefit from the recommendation Container images should be deployed only from trusted registries, you'll have to define your trusted registries.

    If you don't enter the necessary parameters for the recommendations that require configuration, your workloads will be shown as unhealthy.

    Recommendation name Security control Configuration required
    Container CPU and memory limits should be enforced Protect applications against DDoS attack Yes
    Container images should be deployed only from trusted registries Remediate vulnerabilities Yes
    Least privileged Linux capabilities should be enforced for containers Manage access and permissions Yes
    Containers should only use allowed AppArmor profiles Remediate security configurations Yes
    Services should listen on allowed ports only Restrict unauthorized network access Yes
    Usage of host networking and ports should be restricted Restrict unauthorized network access Yes
    Usage of pod HostPath volume mounts should be restricted to a known list Manage access and permissions Yes
    Container with privilege escalation should be avoided Manage access and permissions No
    Containers sharing sensitive host namespaces should be avoided Manage access and permissions No
    Immutable (read-only) root filesystem should be enforced for containers Manage access and permissions No
    Kubernetes clusters should be accessible only over HTTPS Encrypt data in transit No
    Kubernetes clusters should disable automounting API credentials Manage access and permissions No
    Kubernetes clusters should not use the default namespace Implement security best practices No
    Kubernetes clusters should not grant CAPSYSADMIN security capabilities Manage access and permissions No
    Privileged containers should be avoided Manage access and permissions No
    Running containers as root user should be avoided Manage access and permissions No

For recommendations with parameters that need to be customized, you will need to set the parameters:

To set the parameters:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Environment settings.

  3. Select the relevant subscription.

  4. From Defender for Cloud's menu, select Security policy.

  5. Select the relevant assignment. The default assignment is ASC default.

  6. Open the Parameters tab and modify the values as required.

    Modifying the parameters for one of the recommendations in the Kubernetes data plane hardening protection bundle.

  7. Select Review + save.

  8. Select Save.

To enforce any of the recommendations:

  1. Open the recommendation details page and select Deny:

    Deny option for Azure Policy parameter.

    This will open the pane where you set the scope.

  2. When you've set the scope, select Change to deny.

To see which recommendations apply to your clusters:

  1. Open Defender for Cloud's asset inventory page and use the resource type filter to Kubernetes services.

  2. Select a cluster to investigate and review the available recommendations available for it.

When viewing a recommendation from the workload protection set, you'll see the number of affected pods ("Kubernetes components") listed alongside the cluster. For a list of the specific pods, select the cluster and then select Take action.

Viewing the affected pods for a K8s recommendation.

To test the enforcement, use the two Kubernetes deployments below:

  • One is for a healthy deployment, compliant with the bundle of workload protection recommendations.

  • The other is for an unhealthy deployment, non-compliant with any of the recommendations.

Deploy the example .yaml files as-is, or use them as a reference to remediate your own workload (step VIII).

Healthy deployment example .yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis-healthy-deployment
  labels:
    app: redis
spec:
  replicas: 3
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
      annotations:
        container.apparmor.security.beta.kubernetes.io/redis: runtime/default
    spec:
      containers:
      - name: redis
        image: <customer-registry>.azurecr.io/redis:latest
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: 100m
            memory: 250Mi
        securityContext:
          privileged: false
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 1000
---
apiVersion: v1
kind: Service
metadata:
  name: redis-healthy-service
spec:
  type: LoadBalancer
  selector:
    app: redis
  ports:
  - port: 80
    targetPort: 80

Unhealthy deployment example .yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis-unhealthy-deployment
  labels:
    app: redis
spec:
  replicas: 3
  selector:
    matchLabels:
      app: redis
  template:
    metadata:      
      labels:
        app: redis
    spec:
      hostNetwork: true
      hostPID: true 
      hostIPC: true
      containers:
      - name: redis
        image: redis:latest
        ports:
        - containerPort: 9001
          hostPort: 9001
        securityContext:
          privileged: true
          readOnlyRootFilesystem: false
          allowPrivilegeEscalation: true
          runAsUser: 0
          capabilities:
            add:
              - NET_ADMIN
        volumeMounts:
        - mountPath: /test-pd
          name: test-volume
          readOnly: true
      volumes:
      - name: test-volume
        hostPath:
          # directory location on host
          path: /tmp
---
apiVersion: v1
kind: Service
metadata:
  name: redis-unhealthy-service
spec:
  type: LoadBalancer
  selector:
    app: redis
  ports:
  - port: 6001
    targetPort: 9001

Next steps

In this article, you learned how to configure Kubernetes data plane hardening.

For other related material, see the following pages: