Framework/Configurations/SVT/Services/KubernetesService.json

{
  "FeatureName": "KubernetesService",
  "Reference": "aka.ms/azsktcp/KubernetesService",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_KubernetesService_Deploy_Enable_Cluster_RBAC",
      "Description": "Cluster RBAC must be enabled in Kubernetes Service",
      "Id": "KubernetesService110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckClusterRBAC",
      "Rationale": "Enabling RBAC in a cluster lets you finely control access to various operations at the cluster/node/pod/namespace scopes for different stakeholders. Without RBAC enabled, every user has full access to the cluster which is a violation of the principle of least privilege. Note that Azure Kubernetes Service does not currently support other mechanisms to define authorization in Kubernetes (such as Attribute-based Access Control authorization or Node authorization).",
      "Recommendation": "RBAC flag must be enabled while creating the Kubernetes Service. Existing non-RBAC enabled Kubernetes Service clusters cannot currently be updated for RBAC use. Refer: https://docs.microsoft.com/en-us/azure/aks/aad-integration.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Deploy",
        "RBAC",
        "KubernetesService"
      ],
      "Enabled": true,
      "PolicyDefinitionGuid": "ac4a19c2-fa67-49b4-8ae5-0b2e78c49457"
    },
    {
      "ControlID": "Azure_KubernetesService_AuthN_Enabled_AAD",
      "Description": "AAD should be enabled in Kubernetes Service",
      "Id": "KubernetesService120",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckAADEnabled",
      "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control.All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/aks/aad-integration to configure AAD in Kubernetes Service.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthN",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "KubernetesService130",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Remove any excessive privileges granted on the Kubernetes Service. Run command: Remove-AzRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_AuthN_Dont_Grant_ClusterAdmin_Permission_Developer",
      "Description": "Do not directly or indirectly grant cluster admin level access to developers",
      "Id": "KubernetesService140",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Cluster admin have full privileges to perform critical operations on Kubernetes cluster. Granting minimum required access ensures that developer are granted just enough permissions to perform their tasks.",
      "Recommendation": "Developer should be assigned 'Azure Kubernetes Service Cluster User Role' to Kubernetes Service. If you modify an existing role or create a custom role, be careful about operations that are granted to a developer. For example, if a developer can run the 'List clusterAdmin credential' operation, they can elevate access to cluster admin level.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthN",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_Deploy_Use_Latest_Version",
      "Description": "The latest version of Kubernetes should be used",
      "Id": "KubernetesService150",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckKubernetesVersion",
      "Rationale": "Running on older versions could mean you are not using latest security classes. Usage of such old classes and types can make your application vulnerable.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/aks/upgrade-cluster.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "Deploy",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_DP_Review_Image_Sources",
      "Description": "Make sure container images (including nested images) deployed in Kubernetes are from a trustworthy source",
      "Id": "KubernetesService160",
      "ControlSeverity": "High",
      "Enabled": true,
      "Automated": "No",
      "MethodName": "",
      "Rationale": "If a Kubernetes Service runs an untrusted container image (or an untrusted nested image), it can violate integrity of the infrastructure and lead to all types of security attacks.",
      "Recommendation": "Ensure that the source(s) for the container images comprising the Kubernetes Service are trustworthy. Review the repository locations specified in the YAML files for your environment and confirm that those locations will not have tampered/insecure images.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "KubernetesService"
      ]
    },
    {
      "ControlID": "Azure_KubernetesService_SI_Dont_Use_Default_Namespace",
      "Description": "Do not use the default cluster namespace to deploy applications",
      "Id": "KubernetesService170",
      "ControlSeverity": "Medium",
      "Enabled": true,
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Resources/Applications in same namespace will have same access control (RBAC) policies. Users are granted permission on default namespace if no other namespace is provided in rolebindings. As a result, the permissions in the default namespace might not be appropriate if your application/workload is sensitive. It is hence better to create a separate namespace.",
      "Recommendation": "Ensure that the applications in Kubernetes are not deployed in default namespace.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "SI",
        "KubernetesService"
      ]
    },
    {
      "ControlID": "Azure_KubernetesService_DP_Store_Secrets_in_Key_Vault",
      "Description": "All Kubernetes Service secrets should be stored in Key Vault",
      "Id": "KubernetesService180",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Keeping secrets such as DB connection strings, passwords, keys, etc. in clear text can lead to easy compromise at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.",
      "Recommendation": "Refer: https://github.com/Azure/kubernetes-keyvault-flexvol for configuring Key Vault and storing secrets.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "DP",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_SI_Cluster_Node_Missing_OS_Patches",
      "Description": "All the Kubernetes cluster nodes must have all the required OS patches installed",
      "Id": "KubernetesService190",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Unpatched cluster nodes (VMs) are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.",
      "Recommendation": "Refer: https://github.com/weaveworks/kured for install patch and reboot management without impacting Kubernetes workloads.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "SI",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_AuthN_Use_POD_Identity",
      "Description": "Pod Identity must be used for accessing other AAD-protected resources from the Kubernetes Service.",
      "Id": "KubernetesService200",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Pod Identity allows your Kubernetes Service to easily access other AAD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and eliminates the need to provision/manage/rotate any secrets thus reducing the overall risk.",
      "Recommendation": "Refer: https://github.com/Azure/aad-pod-identity to configure Pod Identity in your Kubernetes Cluster.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthN",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_SI_Review_Kube_Advisor_Issues",
      "Description": "Issues/recommendations provided by kube advisor should be reviewed periodically",
      "Id": "KubernetesService210",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "The kube-advisor tool scans Kubernets cluster and reports on issues related to CPU and memory resource consumption limits. If resource quotas are not applied then by default pod consumes all the CPU and memory available, which impacts availability of another POD/application.",
      "Recommendation": "Refer: https://github.com/Azure/kube-advisor to scan Kubernetes cluster using Kube Advisor.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "SI",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_Audit_Enable_Monitoring",
      "Description": "Monitoring must be enabled for Azure Kubernetes Service",
      "Id": "KubernetesService220",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckMonitoringConfiguration",
      "Rationale": "Auditing enables log collection of important system events pertinent to security. Regular monitoring of audit logs can help to detect any suspicious and malicious activity early and respond in a timely manner.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-overview.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_NetSec_Dont_Open_Management_Ports",
      "Description": "Do not leave management ports open on Kubernetes nodes unless required",
      "Id": "KubernetesService230",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckNodeOpenPorts",
      "Rationale": "Open remote management ports expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.",
      "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22) --> Click 'Deny' under Action --> Click Save.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "NetSec",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_DP_Encrypt_Data_In_Transit",
      "Description": "Data transit inside/across Kubernetes must use encrypted channel",
      "Id": "KubernetesService240",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/aks/ingress-tls.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_Audit_Enable_Diagnostics_Log",
      "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",
      "Id": "KubernetesService250",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckDiagnosticsSettings",
      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
      "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "Diagnostics",
        "KubernetesService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_KubernetesService_DP_Disable_HTTP_Application_Routing",
      "Description": "HTTP application routing should be disabled in Kubernetes Service",
      "Id": "KubernetesService260",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckHTTPAppRouting",
      "Rationale": "Enabling HTTP application routing creates publicly accessible DNS names for application endpoints which makes applications deployed to your cluster vulnerable to various network attacks.",
      "Recommendation": "Go to Azure Portal --> your Kubernetes Service --> Settings --> Networking --> Network options --> HTTP application routing --> Click Disabled.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP",
        "KubernetesService",
        "NetSec"
      ],
      "Enabled": true
    }
  ]
}