github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/aks-1.0/managedservices.yaml (about) 1 --- 2 controls: 3 version: "aks-1.0" 4 id: 5 5 text: "Managed Services" 6 type: "managedservices" 7 groups: 8 - id: 5.1 9 text: "Image Registry and Image Scanning" 10 checks: 11 - id: 5.1.1 12 text: "Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider (Manual)" 13 type: "manual" 14 remediation: "No remediation" 15 scored: false 16 17 - id: 5.1.2 18 text: "Minimize user access to Azure Container Registry (ACR) (Manual)" 19 type: "manual" 20 remediation: | 21 Azure Container Registry 22 If you use Azure Container Registry (ACR) as your container image store, you need to grant 23 permissions to the service principal for your AKS cluster to read and pull images. Currently, 24 the recommended configuration is to use the az aks create or az aks update command to 25 integrate with a registry and assign the appropriate role for the service principal. For 26 detailed steps, see Authenticate with Azure Container Registry from Azure Kubernetes 27 Service. 28 To avoid needing an Owner or Azure account administrator role, you can configure a 29 service principal manually or use an existing service principal to authenticate ACR from 30 AKS. For more information, see ACR authentication with service principals or Authenticate 31 from Kubernetes with a pull secret. 32 scored: false 33 34 - id: 5.1.3 35 text: "Minimize cluster access to read-only for Azure Container Registry (ACR) (Manual)" 36 type: "manual" 37 remediation: "No remediation" 38 scored: false 39 40 - id: 5.1.4 41 text: "Minimize Container Registries to only those approved (Manual)" 42 type: "manual" 43 remediation: "No remediation" 44 scored: false 45 46 - id: 5.2 47 text: "Access and identity options for Azure Kubernetes Service (AKS)" 48 checks: 49 - id: 5.2.1 50 text: "Prefer using dedicated AKS Service Accounts (Manual)" 51 type: "manual" 52 remediation: | 53 Azure Active Directory integration 54 The security of AKS clusters can be enhanced with the integration of Azure Active Directory 55 (AD). Built on decades of enterprise identity management, Azure AD is a multi-tenant, 56 cloud-based directory, and identity management service that combines core directory 57 services, application access management, and identity protection. With Azure AD, you can 58 integrate on-premises identities into AKS clusters to provide a single source for account 59 management and security. 60 Azure Active Directory integration with AKS clusters 61 With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes 62 resources within a namespace or across the cluster. To obtain a kubectl configuration 63 context, a user can run the az aks get-credentials command. When a user then interacts 64 with the AKS cluster with kubectl, they're prompted to sign in with their Azure AD 65 credentials. This approach provides a single source for user account management and 66 password credentials. The user can only access the resources as defined by the cluster 67 administrator. 68 Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect 69 is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID 70 Connect, see the Open ID connect documentation. From inside of the Kubernetes cluster, 71 Webhook Token Authentication is used to verify authentication tokens. Webhook token 72 authentication is configured and managed as part of the AKS cluster. 73 scored: false 74 75 - id: 5.3 76 text: "Key Management Service (KMS)" 77 checks: 78 - id: 5.3.1 79 text: "Ensure Kubernetes Secrets are encrypted (Manual)" 80 type: "manual" 81 remediation: "No remediation" 82 scored: false 83 84 - id: 5.4 85 text: "Cluster Networking" 86 checks: 87 - id: 5.4.1 88 text: "Restrict Access to the Control Plane Endpoint (Manual)" 89 type: "manual" 90 remediation: "No remediation" 91 scored: false 92 93 - id: 5.4.2 94 text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)" 95 type: "manual" 96 remediation: "No remediation" 97 scored: false 98 99 - id: 5.4.3 100 text: "Ensure clusters are created with Private Nodes (Manual)" 101 type: "manual" 102 remediation: "No remediation" 103 scored: false 104 105 - id: 5.4.4 106 text: "Ensure Network Policy is Enabled and set as appropriate (Manual)" 107 type: "manual" 108 remediation: "No remediation" 109 scored: false 110 111 - id: 5.4.5 112 text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)" 113 type: "manual" 114 remediation: "No remediation" 115 scored: false 116 117 118 - id: 5.5 119 text: "Authentication and Authorization" 120 checks: 121 - id: 5.5.1 122 text: "Manage Kubernetes RBAC users with Azure AD (Manual)" 123 type: "manual" 124 remediation: "No remediation" 125 scored: false 126 - id: 5.5.2 127 text: "Use Azure RBAC for Kubernetes Authorization (Manual)" 128 type: "manual" 129 remediation: "No remediation" 130 scored: false 131 132 - id: 5.6 133 text: "Other Cluster Configurations" 134 checks: 135 - id: 5.6.1 136 text: "Restrict untrusted workloads (Manual)" 137 type: "manual" 138 remediation: "No remediation" 139 scored: false 140 - id: 5.6.2 141 text: "Hostile multi-tenant workloads (Manual)" 142 type: "manual" 143 remediation: "No remediation" 144 scored: false