Edit

Azure Kubernetes Service (AKS) guardrails initiative

This article describes the Policy guardrails in place to ensure Azure Kubernetes Service is deployed securely.

AKS GitHub Repository

GitHub Repository

AKS Policies Built in

Name Description Version Type Effect Policy definition
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes classic deployment model by granting API access only to IP addresses in specific ranges. It's recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. 2.0.1 Built in Audit Link
Azure Kubernetes Clusters should enable Key Management Service (KMS) Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption. 1.0.0 Built in Audit Link
Azure Kubernetes Service Clusters should disable Command Invoke Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control 1.0.1 Built in Audit Link
Azure Kubernetes Service Private Clusters should be enabled Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. 1.0.1 Built in AuditDeny Link
Azure Kubernetes Clusters should enable Key Management Service (KMS) Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption. 1.0.0 Built in Audit Link
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. 1.0.1 Built in AuditDeny Link
Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. 1.0.3 Built in Audit Link
Azure Kubernetes Service Clusters should use managed identities Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities 1.0.1 Built in Audit Link

AKS Policies Custom

Name Description Version Type Effect Policy definition
Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in /azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks 2.0.1 Custom Audit N/A