CIS Azure Kubernetes Service (AKS) Benchmark
Overview
Center for Internet Security (CIS) provides set of best practices and security recommendations which is referred to as CIS Azure Kubernetes Service (AKS) Benchmark. These benchmarks are provided for securing the Azure Kubernetes Service (AKS) clusters. Since the organizations are increasingly adopting the container orchestration platforms like AKS, it becomes essential to ensure that these environments are configured securely to mitigate security risks and protect sensitive data.
Purpose
The main purpose of the CIS AKS Benchmark is to provide a thorough and precise set of security guidelines and procedures which are designed especially for AKS clusters. These carefully thought-out principles are designed to help DevOps experts, security teams, and AKS administrators with:
Mitigating Security Hazards: By proactively identifying and mitigating security flaws and misconfigurations that could be exploited by bad actors, the benchmark assists enterprises. Organizations may drastically lower the risk of security lapses and data leaks by following these best practices.
Conformity: It is mandatory for numerous companies and regulatory agencies to implement particular security protocols. In order to ensure a secure and compliant AKS environment, the CIS AKS Benchmark helps enterprises align with industry and regulatory compliance requirements.
Required Standards: The benchmark encourages uniform security procedures throughout the AKS environment. Consistency and uniformity in security configurations are ensured by offering an internationally recognized set of best practices.
Importance
Securing AKS clusters is of paramount importance for the following reasons:
Data Protection: AKS clusters often host critical workloads and applications that handle sensitive data. Inadequate security measures can lead to data breaches and data loss.
Operational Continuity: Security incidents can disrupt operations and lead to downtime. A secure AKS environment is crucial for maintaining business continuity.
Reputation and Trust: Security incidents can damage an organization's reputation and erode the trust of customers and partners. A proactive security approach is vital for maintaining trust and integrity.
Legal and Regulatory Compliance: Many industries and jurisdictions have stringent data protection and security regulations. Non-compliance can result in legal penalties and liabilities.
By implementing the recommendations outlined in the CIS AKS Benchmark, organizations can significantly bolster the security of their AKS clusters, protect their assets, and mitigate potential threats effectively.
How BOS targets CIS AKS Benchmarks v1.4.0
| Benchmark Index | CIS Benchmark Recommendation | BOS Env Template Supports | BOS Pipeline Template Supports | BOS Default | Comments |
|---|---|---|---|---|---|
| 2.1 | Logging | ||||
| 2.1.1 | Enable audit Logs (Manual) | Yes | NA | Yes | BOS Environment Template support enabling of audit logs for AKS. |
| 3.1 | Worker Node Configuration Files | ||||
| 3.1.1 | Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual) | NA | NA | NA | The CIS Kubernetes benchmark recommends these files must have certain permission requirements. AKS clusters use a Helm chart to deploy control plane pods and don't rely on files in the node VM. |
| 3.1.2 | Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual) | NA | NA | NA | The CIS Kubernetes benchmark recommends these files must have certain permission requirements. AKS clusters use a Helm chart to deploy control plane pods and don't rely on files in the node VM. |
| 3.1.3 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 3.1.4 | Ensure that the kubelet configuration file ownership is set to root:root (Manual) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 3.2 | Kubelet | ||||
| 3.2.1 | Ensure that the --anonymous-auth argument is set to false (Automated) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 3.2.2 | Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 3.2.3 | Ensure that the --client-ca-file argument is set as appropriate (Automated) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 3.2.4 | Ensure that the --read-only-port is secured (Manual) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 3.2.5 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 3.2.6 | Ensure that the --make-iptables-util-chains argument is set to true (Automated) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 3.2.7 | Ensure that the --hostname-override argument is not set (Manual) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 3.2.8 | Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 3.2.9 | Ensure that the --rotate-certificates argument is not set to false (Automated) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 3.2.10 | Ensure that the RotateKubeletServerCertificate argument is set to true (Manual) | NA | NA | Yes | This is implemented by Azure as part of AKS Creation. AKS nodes are managed by azure and this control is auto enabled in it. |
| 4.1 | RBAC and Service Accounts | ||||
| 4.1.1 | Ensure that the cluster-admin role is only used where required (Manual) | NA | Yes | Yes | No explicit cluster role bindings are created. Every deployment is controlled by BOS Pipelines. |
| 4.1.2 | Minimize access to secrets (Manual) | NA | Yes | Yes | No explicit access to secret is given. Every deployment is controlled by BOS Pipelines. |
| 4.1.3 | Minimize wildcard use in Roles and ClusterRoles (Manual) | NA | Yes | Yes | No wildcards are used. Every deployment is controlled by BOS Pipelines. |
| 4.1.4 | Minimize access to create pods (Manual) | NA | Yes | Yes | No explicit access is given to create pods. Every deployment is controlled by BOS Pipelines. |
| 4.1.5 | Ensure that default service accounts are not actively used. (Manual) | NA | NA | NA | BOS Pipeline template uses Subscription level SP for accessing the cluster to deploy containers. |
| 4.1.6 | Ensure that Service Account Tokens are only mounted where necessary (Manual) | NA | NA | NA | BOS Pipeline template uses Subscription level SP for accessing the cluster to deploy containers |
| 4.2 | Pod Security Standards | ||||
| 4.2.1 | Minimize the admission of privileged containers (Manual) | NA | Yes | Yes | BOS Pipeline template uses security context to define privilege permission, Privilege Escalation, root permissions, capabilities for each pods and container in a given namespace. |
| 4.2.2 | Minimize the admission of containers wishing to share the host process ID namespace (Manual) | NA | Yes | Yes | BOS Pipeline template uses security context to define privilege permission, Privilege Escalation, root permissions, capabilities for each pods and container in a given namespace. |
| 4.2.3 | Minimize the admission of containers wishing to share the host IPC namespace (Manual) | NA | Yes | Yes | BOS Pipeline template uses security context to define privilege permission, Privilege Escalation, root permissions, capabilities for each pods and container in a given namespace. |
| 4.2.4 | Minimize the admission of containers wishing to share the host network namespace (Manual) | NA | Yes | Yes | BOS Pipeline template uses security context to define privilege permission, Privilege Escalation, root permissions, capabilities for each pods and container in a given namespace. |
| 4.2.5 | Minimize the admission of containers with allowPrivilegeEscalation (Manual) | NA | Yes | Yes | BOS Pipeline template uses security context to define privilege permission, Privilege Escalation, root permissions, capabilities for each pods and container in a given namespace. |
| 4.2.6 | Minimize the admission of root containers (Manual) | NA | Yes | Yes | BOS Pipeline template uses security context to define privilege permission, Privilege Escalation, root permissions, capabilities for each pods and container in a given namespace. |
| 4.2.7 | Minimize the admission of containers with added capabilities (Manual) | NA | Yes | Yes | BOS Pipeline template uses security context to define privilege permission, Privilege Escalation, root permissions, capabilities for each pods and container in a given namespace. |
| 4.2.8 | Minimize the admission of containers with capabilities assigned (Manual) | NA | Yes | Yes | BOS Pipeline template uses security context to define privilege permission, Privilege Escalation, root permissions, capabilities for each pods and container in a given namespace. |
| 4.3 | Azure Policy / OPA | ||||
| 4.3 | A more modern alternative to the PSP is the Open Policy Agent (OPA) and OPAGatekeeper. OPA is an admission controller which is integrated with the OPA ConstraintFramework to enforce Custom Resource Definition (CRD) based policies and allow declaratively configured policies to be reliably shareable. The Kubernetes projects is shifting focus from PSPs to OPAs. | Yes | NA | Yes | Azure Policy is enabled on the AKS cluster. BOS Environment Template creates AKS Cluster with Azure Policy is enabled, controlled via a parameter. |
| 4.4 | CNI Plugin | ||||
| 4.4.1 | Ensure latest CNI version is used (Manual) | Yes | NA | Yes | Azure CNI is enabled on the AKS cluster. BOS Environment Template creates AKS Cluster with Azure Policy is enabled, controlled via a parameter. |
| 4.4.2 | Ensure that all Namespaces have Network Policies defined (Manual) | NA | Yes | Yes | BOS Pipeline Template have Network Policies defined. Every deployment is controlled by BOS Pipelines. |
| 4.5 | Secrets Management | ||||
| 4.5.1 | Prefer using secrets as files over secrets as environment variables (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.5.2 | Consider external secret storage (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 4.6 | Extensible Admission Control | ||||
| 4.6.1 | Verify that admission controllers are working as expected (Manual) | Yes | NA | Yes | Azure Policy is enabled on the AKS cluster. BOS Environment Template creates AKS Cluster with Azure Policy is enabled, controlled via a parameter. |
| 4.7 | General Policies | ||||
| 4.7.1 | Create administrative boundaries between resources using namespaces (Manual) | NA | Yes | Yes | BOS Pipeline Templates uses separate namespaces for separate environments. Every deployment is controlled by BOS Pipelines. |
| 4.7.2 | Apply Security Context to Your Pods and Containers (Manual) | NA | Yes | Yes | BOS Pipeline Template have Security Context defined. Every deployment is controlled by BOS Pipelines. |
| 4.7.3 | The default namespace should not be used (Manual) | NA | Yes | Yes | BOS Pipeline Templates does not use default Namespace for any deployments. Every deployment is controlled by BOS Pipelines. |
| 5.1 | Image Registry and Image Scanning | ||||
| 5.1.1 | Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider (Manual) | Yes | NA | Yes | BOS Environment Templates enables Azure defender lists down the Vulnerabilities |
| 5.1.2 | Minimize user access to Azure Container Registry (ACR) (Manual) | Yes | NA | Yes | BOS Environment Templates created AKS cluster which has just acrpull access on the ACR registry created along with it. |
| 5.1.3 | Minimize cluster access to read-only for Azure Container Registry (ACR) (Manual) | Yes | NA | Yes | BOS Environment Templates created AKS cluster which has just acrpull access on the ACR registry created along with it. |
| 5.1.4 | Minimize Container Registries to only those approved (Manual) | Yes | NA | Yes | BOS Environment Templates created AKS cluster which has just acrpull access on the ACR registry created along with it. |
| 5.2 | Access and identity options for Azure Kubernetes Service (AKS) | ||||
| 5.2.1 | Prefer using dedicated AKS Service Accounts (Manual) | NA | Yes | NA | BOS Pipeline template uses Subscription level SP for accessing the cluster to deploy containers. |
| 5.3 | Key Management Service (KMS) | ||||
| 5.3.1 | Ensure Kubernetes Secrets are encrypted (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.4 | Cluster Networking | ||||
| 5.4.1 | Restrict Access to the Control Plane Endpoint (Manual) | Yes | NA | Yes | BOS Environment Templates created AKS Cluster which can be accessed with only authorized IPs. |
| 5.4.2 | Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.4.3 | Ensure clusters are created with Private Nodes (Manual) | Yes | NA | Yes | Nodes Created by BOS Environment Template has only Private IP. |
| 5.4.4 | Ensure Network Policy is Enabled and set as appropriate (Manual) | Yes | NA | Yes | Azure Network Policy is enabled on the AKS cluster. BOS Environment Template creates AKS Cluster with Azure Network Policy is enabled, controlled via a parameter. |
| 5.4.5 | Encrypt traffic to HTTPS load balancers with TLS certificates (Manual) | NA | Yes | Yes | BOS Pipeline Template uses Certificate in Application gateway Ingress Controller to enable HTTPS |
| 5.5 | Authentication and Authorization | ||||
| 5.5.1 | Manage Kubernetes RBAC users with Azure AD (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.5.2 | Use Azure RBAC for Kubernetes Authorization (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.6 | Other Cluster Configurations | ||||
| 5.6.1 | Restrict untrusted workloads (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |
| 5.6.2 | Hostile multi-tenant workloads (Manual) | NA | NA | NA | The current release of the BOS template does not offer support for this. |