AKS Network Policy Misconfigured

  • Query id: 8c3bedf1-c570-4c3b-b414-d068cd39a00c
  • Query name: AKS Network Policy Misconfigured
  • Platform: Ansible
  • Severity: Medium
  • Category: Insecure Configurations
  • URL: Github

Description

Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: Create a managed Azure Container Services (AKS) instance03
  azure_rm_aks:
    name: myAKS
    location: eastus
    resource_group: myResourceGroup
    dns_prefix: akstest
    kubernetes_version: 1.14.6
    network_profile:
      network_policy: istio
    linux_profile:
      admin_username: azureuser
      ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
    service_principal:
      client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
      client_secret: "Password123!"
    agent_pool_profiles:
      - name: default
        count: 5
        vm_size: Standard_D2_v2
    tags:
      Environment: Production
- name: Create a managed Azure Container Services (AKS) instance04
  azure_rm_aks:
    name: myAKS
    location: eastus
    resource_group: myResourceGroup
    dns_prefix: akstest
    kubernetes_version: 1.14.6
    linux_profile:
      admin_username: azureuser
      ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
    service_principal:
      client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
      client_secret: "Password123!"
    agent_pool_profiles:
      - name: default
        count: 5
        vm_size: Standard_D2_v2
    tags:
      Environment: Production

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create a managed Azure Container Services (AKS) instance01
  azure_rm_aks:
    name: myAKS
    location: eastus
    resource_group: myResourceGroup
    dns_prefix: akstest
    kubernetes_version: 1.14.6
    network_profile:
      network_policy: calico
    linux_profile:
      admin_username: azureuser
      ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
    service_principal:
      client_id: cf72ca99-f6b9-4004-b0e0-bee10c521948
      client_secret: Password123!
    agent_pool_profiles:
    - name: default
      count: 5
      vm_size: Standard_D2_v2
    tags:
      Environment: Production
- name: Create a managed Azure Container Services (AKS) instance02
  azure_rm_aks:
    name: myAKS
    location: eastus
    resource_group: myResourceGroup
    dns_prefix: akstest
    kubernetes_version: 1.14.6
    network_profile:
      network_policy: azure
    linux_profile:
      admin_username: azureuser
      ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
    service_principal:
      client_id: cf72ca99-f6b9-4004-b0e0-bee10c521948
      client_secret: Password123!
    agent_pool_profiles:
    - name: default
      count: 5
      vm_size: Standard_D2_v2
    tags:
      Environment: Production