Ensure that Azure CNI Networking is enabled
Azure CNI networking for production allows for separation of control and management of resources. From a security perspective, you often want different teams to manage and secure those resources. With Azure CNI networking, you connect to existing Azure resources, on-premises resources, or other services directly via IP addresses assigned to each pod.
Risk Level: Low
Cloud Entity: Azure AKS
CloudGuard Rule ID: D9.AZU.AKS.06
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
AksCluster should have properties.networkProfile.networkPlugin='azure'
REMEDIATION
From Portal
- Log in to your Azure portal.
- Navigate to 'Kubernetes services'.
- Create Kubernetes cluster.
- Fill the required details and under the 'Networking' tab select 'Azure CNI' in 'Network configuration'.
- Click on 'Review + Create'.
From TF
Set the 'network_profile' argument under 'azurerm_kubernetes_cluster' as below:
resource "azurerm_kubernetes_cluster" "example" {
...
network_profile = {
...
network_plugin = "azure"
network_policy = "azure"
...
}
...
}
From Command Line
Run
az aks create --resource-group RESOURCEGROUP --name CLUSTERNAME --network-plugin azure
References
- https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni#configure-networking
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#network_plugin
Azure AKS
AKS is an open-source fully managed container orchestration service that became available in June 2018 and is available on the Microsoft Azure public cloud that can be used to deploy, scale and manage Docker containers and container-based applications in a cluster environment.
Compliance Frameworks
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago