module/ConfigurationProvider/ControlConfigurations/Services/KubernetesService.json

{
  "FeatureName": "KubernetesService",
  "Reference": "aka.ms/azsktcp/KubernetesService",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_KubernetesService_Deploy_Enable_Cluster_RBAC",
      "Description": "Cluster RBAC must be enabled in Kubernetes Service",
      "Id": "KubernetesService110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckClusterRBAC",
      "DisplayName": "Cluster RBAC must be enabled in Kubernetes Service",
      "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms",
      "Category": "Least privilege access to subscription and resources",
      "Rationale": "Enabling RBAC in a cluster lets you finely control access to various operations at the cluster/node/pod/namespace scopes for different stakeholders. Without RBAC enabled, every user has full access to the cluster which is a violation of the principle of least privilege. Note that Azure Kubernetes Service does not currently support other mechanisms to define authorization in Kubernetes (such as Attribute-based Access Control authorization or Node authorization).",
      "Recommendation": "RBAC flag must be enabled while creating the Kubernetes Service. Existing non-RBAC enabled Kubernetes Service clusters cannot currently be updated for RBAC use. Refer: https://docs.microsoft.com/en-us/azure/aks/concepts-identity#kubernetes-role-based-access-control-rbac.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Deploy",
        "RBAC",
        "KubernetesService",
        "Baseline",
        "Daily",
        "CSEOPilotSub"
      ],
      "Enabled": false,
      "ControlEvaluationDetails": {
        "RequiredProperties": [
          "IsRBACEnabled"
        ]
      },
      "CustomTags": [
        "CSEOBaseline",
        "MSD",
        "TenantBaseline",
        "Prod",
        "CSEOPilot",
        "Wave8",
        "SN:Kubernetes_RBAC"
      ]
    },
    {
      "ControlID": "Azure_KubernetesService_Deploy_Enable_Cluster_RBAC_Trial",
      "Description": "[Trial] Cluster RBAC must be enabled in Kubernetes Service",
      "Id": "KubernetesService115",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "DisplayName": "[Trial] Cluster RBAC must be enabled in Kubernetes Service",
      "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms",
      "Category": "Least privilege access to subscription and resources",
      "Rationale": "Enabling RBAC in a cluster lets you finely control access to various operations at the cluster/node/pod/namespace scopes for different stakeholders. Without RBAC enabled, every user has full access to the cluster which is a violation of the principle of least privilege. Note that Azure Kubernetes Service does not currently support other mechanisms to define authorization in Kubernetes (such as Attribute-based Access Control authorization or Node authorization).",
      "Recommendation": "RBAC flag must be enabled while creating the Kubernetes Service. Existing non-RBAC enabled Kubernetes Service clusters cannot currently be updated for RBAC use. Refer: https://docs.microsoft.com/en-us/azure/aks/concepts-identity#kubernetes-role-based-access-control-rbac.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Deploy",
        "RBAC",
        "KubernetesService",
        "Baseline"
      ],
      "Enabled": true,
      "ControlScanSource": "MDC",
      "AssessmentProperties": {
        "AssessmentNames": [
          "b0fdc63a-38e7-4bab-a7c4-2c2665abbaa9"
        ],
        "AssessmentStatusMappings": [
          {
            "AssessmentStatusCode": "NotApplicable",
            "EffectiveVerificationResult": "Failed",
            "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*",
            "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed."
          }
        ]
      },
      "CustomTags": [
        "Daily",
        "Trial"
      ]
    },
    {
      "ControlID": "Azure_KubernetesService_AuthN_Enabled_AAD",
      "Description": "AAD should be enabled in Kubernetes Service",
      "Id": "KubernetesService120",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckAADEnabled",
      "DisplayName": "AAD should be enabled in Kubernetes Service",
      "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms",
      "Category": "Authentication must be enabled on all user accounts and services",
      "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control. All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.",
      "Recommendation": "Using Azure Portal: Go to Azure Portal --> Kubernetes Services --> Select Kubernetes Cluster --> Settings --> Cluster configuration --> AKS-managed Azure Active Directory --> Enabled. Refer https://docs.microsoft.com/en-us/azure/aks/managed-aad to configure AKS-managed AAD in Kubernetes clusters.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "AuthN",
        "KubernetesService",
        "Baseline",
        "Daily",
        "CSEOPilotSub"
      ],
      "Enabled": true,
      "CustomTags": [
        "CSEOBaseline",
        "MSD",
        "TenantBaseline",
        "Prod",
        "CSEOPilot",
        "Wave8",
        "SN:Kubernetes_AADAuth"
      ]
    },
    {
      "ControlID": "Azure_KubernetesService_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "KubernetesService130",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Remove any excessive privileges granted on the Kubernetes Service. Run command: Remove-AzRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC",
        "KubernetesService"
      ],
      "Enabled": false,
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_AuthN_Dont_Grant_ClusterAdmin_Permission_Developer",
      "Description": "Do not directly or indirectly grant cluster admin level access to developers",
      "Id": "KubernetesService140",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Cluster admin have full privileges to perform critical operations on Kubernetes cluster. Granting minimum required access ensures that developer are granted just enough permissions to perform their tasks.",
      "Recommendation": "Developer should be assigned 'Azure Kubernetes Service Cluster User Role' to Kubernetes Service. If you modify an existing role or create a custom role, be careful about operations that are granted to a developer. For example, if a developer can run the 'List clusterAdmin credential' operation, they can elevate access to cluster admin level.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthN",
        "KubernetesService"
      ],
      "Enabled": false,
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_Deploy_Use_Latest_Version",
      "Description": "The latest version of Kubernetes should be used",
      "Id": "KubernetesService150",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckKubernetesVersion",
      "AssessmentName": "22e18b64-4576-41e6-8972-0eb28c9af0c8",
      "ControlScanSource": "MDCorReader",
      "AssessmentProperties": {
        "AssessmentNames": [
          "22e18b64-4576-41e6-8972-0eb28c9af0c8"
        ]
      },
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
      "DisplayName": "[Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version",
      "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance",
      "Category": "Vulnerabilities must be remediated",
      "Rationale": "Running on older versions could mean you are not using latest security classes. Usage of such old classes and types can make your application vulnerable.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/aks/upgrade-cluster.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "Deploy",
        "KubernetesService",
        "Baseline",
        "Weekly"
      ],
      "Enabled": true,
      "ControlSettings": {
        "kubernetesVersion": "1.14.8,1.15.10,1.16.7"
      },
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_DP_Review_Image_Sources",
      "Description": "Make sure container images (including nested images) deployed in Kubernetes are from a trustworthy source",
      "Id": "KubernetesService160",
      "ControlSeverity": "High",
      "Enabled": false,
      "Automated": "No",
      "MethodName": "",
      "Rationale": "If a Kubernetes Service runs an untrusted container image (or an untrusted nested image), it can violate integrity of the infrastructure and lead to all types of security attacks.",
      "Recommendation": "Ensure that the source(s) for the container images comprising the Kubernetes Service are trustworthy. Review the repository locations specified in the YAML files for your environment and confirm that those locations will not have tampered/insecure images.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "KubernetesService"
      ],
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_SI_Dont_Use_Default_Namespace",
      "Description": "Do not use the default cluster namespace to deploy applications",
      "Id": "KubernetesService170",
      "ControlSeverity": "Medium",
      "Enabled": false,
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Resources/Applications in same namespace will have same access control (RBAC) policies. Users are granted permission on default namespace if no other namespace is provided in rolebindings. As a result, the permissions in the default namespace might not be appropriate if your application/workload is sensitive. It is hence better to create a separate namespace.",
      "Recommendation": "Ensure that the applications in Kubernetes are not deployed in default namespace.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "SI",
        "KubernetesService"
      ],
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_DP_Store_Secrets_in_Key_Vault",
      "Description": "All Kubernetes Service secrets should be stored in Key Vault",
      "Id": "KubernetesService180",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Keeping secrets such as DB connection strings, passwords, keys, etc. in clear text can lead to easy compromise at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.",
      "Recommendation": "Refer: https://github.com/Azure/kubernetes-keyvault-flexvol for configuring Key Vault and storing secrets.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "DP",
        "KubernetesService"
      ],
      "Enabled": false,
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_SI_Cluster_Node_Missing_OS_Patches",
      "Description": "All the Kubernetes cluster nodes must have all the required OS patches installed",
      "Id": "KubernetesService190",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Unpatched cluster nodes (VMs) are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.",
      "Recommendation": "Refer: https://github.com/weaveworks/kured for install patch and reboot management without impacting Kubernetes workloads.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "SI",
        "KubernetesService"
      ],
      "Enabled": false,
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_AuthN_Use_POD_Identity",
      "Description": "Pod Identity must be used for accessing other AAD-protected resources from the Kubernetes Service.",
      "Id": "KubernetesService200",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Pod Identity allows your Kubernetes Service to easily access other AAD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and eliminates the need to provision/manage/rotate any secrets thus reducing the overall risk.",
      "Recommendation": "Refer: https://github.com/Azure/aad-pod-identity to configure Pod Identity in your Kubernetes Cluster.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthN",
        "KubernetesService"
      ],
      "Enabled": false,
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_SI_Review_Kube_Advisor_Issues",
      "Description": "Issues/recommendations provided by kube advisor should be reviewed periodically",
      "Id": "KubernetesService210",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "The kube-advisor tool scans Kubernetes cluster and reports on issues related to CPU and memory resource consumption limits. If resource quotas are not applied then by default pod consumes all the CPU and memory available, which impacts availability of another POD/application.",
      "Recommendation": "Refer: https://github.com/Azure/kube-advisor to scan Kubernetes cluster using Kube Advisor.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "SI",
        "KubernetesService"
      ],
      "Enabled": false,
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_Audit_Enable_Monitoring",
      "Description": "Monitoring must be enabled for Azure Kubernetes Service",
      "Id": "KubernetesService220",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckMonitoringConfiguration",
      "DisplayName": "Monitoring must be enabled for Azure Kubernetes Service",
      "Category": "Monitoring must be enabled",
      "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance",
      "Rationale": "Auditing enables log collection of important system events pertinent to security. Regular monitoring of audit logs can help to detect any suspicious and malicious activity early and respond in a timely manner.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-overview.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "KubernetesService",
        "Baseline",
        "Weekly",
        "ExcludedControl"
      ],
      "Enabled": true,
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_NetSec_Dont_Open_Management_Ports",
      "Description": "Do not leave management ports open on Kubernetes nodes unless required",
      "Id": "KubernetesService230",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRestrictedPorts",
      "DisplayName": "Do not leave management ports open on Kubernetes nodes",
      "ControlRequirements": "Restrict network traffic flows",
      "Category": "Management interfaces and ports must not be open",
      "Rationale": "Open remote management ports expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.",
      "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22, SMB-445) --> Click 'Deny' under Action --> Click Save.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "NetSec",
        "KubernetesService",
        "Baseline",
        "Weekly",
        "ExcludedControl"
      ],
      "ControlEvaluationDetails": {
        "RequiredProperties": [
          "AKSResourceGroup"
        ]
      },
      "Enabled": true,
      "ControlSettings": {
        "RestrictedPorts": "445,3389,5985,22"
      },
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_DP_Encrypt_Data_In_Transit",
      "Description": "Data transit inside/across Kubernetes must use encrypted channel",
      "Id": "KubernetesService240",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/aks/ingress-tls.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "KubernetesService"
      ],
      "Enabled": false,
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_Audit_Enable_Diagnostics_Log",
      "Description": "Diagnostics logs must be enabled for Kubernetes service",
      "Id": "KubernetesService250",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckDiagnosticsSettings",
      "DisplayName": "Diagnostics logs must be enabled for Kubernetes service",
      "Category": "Monitoring must be correctly configured",
      "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance",
      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
      "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "Diagnostics",
        "KubernetesService",
        "Baseline",
        "Weekly"
      ],
      "ControlEvaluationDetails": {
        "RequiredProperties": [
          "DiagnosticSetting"
        ]
      },
      "Enabled": true,
      "ControlSettings": {
        "DiagnosticForeverRetentionValue": "0",
        "DiagnosticMinRetentionPeriod": "365",
        "DiagnosticLogs": [
          "kube-apiserver",
          "kube-audit",
          "kube-audit-admin",
          "Guard"
        ]
      },
      "CustomTags": []
    },
    {
      "ControlID": "Azure_KubernetesService_DP_Disable_HTTP_Application_Routing",
      "Description": "HTTP application routing should be disabled in Kubernetes Service",
      "Id": "KubernetesService260",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckHTTPAppRouting",
      "DisplayName": "HTTP application routing should be disabled in Kubernetes Service",
      "Category": "Monitoring must be enabled",
      "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance",
      "Rationale": "Enabling HTTP application routing creates publicly accessible DNS names for application endpoints which makes applications deployed to your cluster vulnerable to various network attacks.",
      "Recommendation": "Go to Azure Portal --> your Kubernetes Service --> Settings --> Networking --> Network options --> 'Enable HTTP application routing' option --> Uncheck checkbox.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP",
        "KubernetesService",
        "NetSec",
        "Baseline",
        "Weekly"
      ],
      "Enabled": true,
      "CustomTags": []
    }
  ]
}