AKS Network Policy Misconfigured
- Query id: 8c3bedf1-c570-4c3b-b414-d068cd39a00c
- Query name: AKS Network Policy Misconfigured
- Platform: Ansible
- Severity: Medium
- Category: Insecure Configurations
- URL: Github
Description¶
Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: Create a managed Azure Container Services (AKS) instance03
azure_rm_aks:
name: myAKS
location: eastus
resource_group: myResourceGroup
dns_prefix: akstest
kubernetes_version: 1.14.6
network_profile:
network_policy: istio
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
client_secret: "Password123!"
agent_pool_profiles:
- name: default
count: 5
vm_size: Standard_D2_v2
tags:
Environment: Production
- name: Create a managed Azure Container Services (AKS) instance04
azure_rm_aks:
name: myAKS
location: eastus
resource_group: myResourceGroup
dns_prefix: akstest
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
client_secret: "Password123!"
agent_pool_profiles:
- name: default
count: 5
vm_size: Standard_D2_v2
tags:
Environment: Production
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Create a managed Azure Container Services (AKS) instance01
azure_rm_aks:
name: myAKS
location: eastus
resource_group: myResourceGroup
dns_prefix: akstest
kubernetes_version: 1.14.6
network_profile:
network_policy: calico
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: cf72ca99-f6b9-4004-b0e0-bee10c521948
client_secret: Password123!
agent_pool_profiles:
- name: default
count: 5
vm_size: Standard_D2_v2
tags:
Environment: Production
- name: Create a managed Azure Container Services (AKS) instance02
azure_rm_aks:
name: myAKS
location: eastus
resource_group: myResourceGroup
dns_prefix: akstest
kubernetes_version: 1.14.6
network_profile:
network_policy: azure
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: cf72ca99-f6b9-4004-b0e0-bee10c521948
client_secret: Password123!
agent_pool_profiles:
- name: default
count: 5
vm_size: Standard_D2_v2
tags:
Environment: Production