The Microsoft Azure Kubernetes Service (AKS) offers simplified Kubernetes deployment in Microsoft Azure. It is important to understand how it works and what it will or will not do from a security perspective when deploying containers using AKS.
What is AKS
Kubernetes allows app developers to easily group containers of applications into logical units, making them simpler to manage. The open-source system empowers developers to automate containerized applications' deployment, scaling, and management. Its flexible nature lets you create a Kubernetes cluster of master and worker nodes when creating a multi-container application.
Use AKS to enjoy the portability of containerized apps and their two biggest advantages:
- Deployment across hosts without added coding
- There is no need to add an operating system to the cluster
What is AKS Security
AKS security features help keep your containerized apps safer, and its many features don't bog down your runtime environment. The main AKS security components provided include:
- Active Directory
- Azure Policy
- Microsoft Defender for Containers
- Azure Key Vault
- Network security groups
- Orchestrated cluster upgrades
Combined, these AKS security options offer end-to-end security and access knowledge. You'll have a complete authentication and authorization log to reference, plus Azure Policy built-in.
Read on to learn how AKS key vault integration and AKS key vault managed identity help you organize and streamline access. The key vault provider creates a certificate, key, and secret data all at once.
AKS Security Best Practices
Three critical areas of AKS Security deserve added attention — securing access to resources, limiting credential exposure, and using pod identities and digital key vaults. Consider the existing best practices for enhancing your clusters' AKS security and achieving these three points.
Protect AKS resources in virtual networks by using AKS network policies to limit network traffic. Set traffic rules for ingress and egress using namespaces and label selectors as the basis. Although AKS creates route tables and network security groups by default when you create a cluster, you need the Azure Container Networking Interface (CNI) plugin to use network policies. You have to enable CNI manually when you create a cluster.
Configure the AKS central security log management to create your audit logs. Enable audit logs for kube-audit, kube-controller-manager, and kube-apiserver. Set it to export your logs to Azure Monitor Log Analytics or a similar storage platform for historical log analysis. For long-term storage, use archival storage from Azure Storage.
Use Azure's vulnerability scanner to check your containers for known software vulnerabilities. If the Azure scanner doesn't cover the software language used, you can use another compatible scanner. Include a scan of your custom images and third-party container images deployed. Set up the scanner to conduct regular automated scans and to update the Common Vulnerabilities and Exposures (CVEs) database. At the outset, establish a business practice/policy for handling a CVE.
Establish secure configurations across your Azure resources by conducting a regularly scheduled review of the AKS configuration templates. Use the Azure Resource Manager (ARM) to export them in JSON format for easier review. Set up custom policies and rules specific to your company's security requirements.
Most importantly, address the following:
- Use the definitions in the Azure Policy aliases in the “Microsoft.ContainerService” namespace as your foundation.
- Set rules and enforce HTTPS ingress in Kubernetes clusters, applying Role-Based Access Control (RBAC).
- Check the Azure Security Center for recommendations and address each one.
AKS Networking Best Practices
Because you'll deploy on various environments, AKS also offers best practices assistance for networking. For example, in regards to network connectivity, the service's best practices assistance includes:
- Different network models
- Using ingress and web application firewalls (WAF)
- Securing node SSH access
Protect your web applications using the Web Application Firewall (WAF) found in the Azure Application Gateway. Use its core set of rules to protect against common web app attacks, including cookie poisoning and cross-site scripting (XSS). Add to these rules with your own custom protections. Leverage Azure API Management to authenticate and authorize APIs. Its API monitoring simplifies API security. Your containerized applications run seamlessly inside a secure environment, and AKS monitoring best practices help you keep them secure.
AKS Security Baseline
The AKS baseline architecture helps you run your privileged containers with AKS best practices inherent. It provides tools for tracking their security posture, even as you address security concerns. Concerning network security, AKS creates a network security group and route table automatically for each cluster. Using load balancers, it automatically adjusts network traffic to ensure seamless access to your web applications.
Enable Network Watcher to monitor and record network packets. If you set up or update a virtual network within your subscription, Microsoft AKS automatically enables Network Watcher. Otherwise, you’ll need to enable it manually.
AKS also lets you use service tags instead of IP addresses when setting network security rules. Microsoft manages the service tag's address prefixes, automatically updating the service tag as addresses change.
AKS Security Logs
AKS security logs and AKS audit logs offer an important feature that helps you gain new insights into your K8s deployments. Even though you're already running a containerized application that streamlines deployment, you can always make an app run better and enhance access controls.
That's where AKS insights come in and help your IT staff. AKS provides you with genuinely helpful Kubernetes audit admin logs. You save time by reading Kubernetes audit logs that easily assimilate important information in one place with a chronological list of calls made to your Kubernetes API server. Quickly spot suspicious API requests and create monitoring alerts for suspicious API calls. These security logs make it easier to spot misuse and deny excessive permissions.
AKS NSG Requirements
What if you could reduce the human workload needed to effectively deploy applications? What if you had instantaneous help with Microsoft Azure and virtual machines? What if your application running in the Microsoft Azure environment could configure its own security rules? The AKS network security group (AKS NSG) handles the AKS NSG requirements for you, so your staff can focus on writing new programs or improving the incumbent program.
Because it uses built-in AKS networking best practices, AKS can help you to take some of the burdens off of your human staff. The AKS network security group (NSG) filters traffic for virtual machines (VMs) like the AKS nodes. This means that as you create Services, the Azure platform automatically configures any necessary network security group rules. Your app configures itself to remain secure — one of the greatest gifts of AKS Networking and AKS network policy.
This self-regulation solves big problems for you. Typically, AKS clusters use Kubenet. Each gets its own virtual network and subnet. With AKS Kubenet, each node gets an IP address from a virtual network subnet. When using Azure Container Networking Interface (CNI), the default is that each pod gets an IP address from the subnet with direct access. AKS handles the NSG requirements for you and sets up appropriate security.
AKS Secrets Key Vault
The AKS Key Vault service certificate features use its key and secret capabilities. When you create a key vault certificate, the service automatically creates an addressable key and secret using the same name. The key allows key operations, and the secret allows the retrieval of the certificate value as a secret.
Microsoft designed AKS key vault environment variables to function seamlessly alone. The platform makes using Azure key vault deployment easier across the Internet, even in the most complex AKS cluster.
KSOC provides real-time security for your AKS clusters
AKS is a tool for abstracting away pieces of Kubernetes management to make application deployment easier, and does not provide sufficient security features for your Kubernetes clusters. KSOC is installed via a simple plugin to the API event stream and policy results can be managed in-cluster, making security simple for the platform engineering team.