AKS Uses Azure Policies Add-On Disabled

  • Query id: 43789711-161b-4708-b5bb-9d1c626f7492
  • Query name: AKS Uses Azure Policies Add-On Disabled
  • Platform: Terraform
  • Severity: Low
  • Category: Best Practices
  • URL: Github

Description

Azure Container Service (AKS) should use Azure Policies Add-On
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "azurerm_kubernetes_cluster" "positive1" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  addon_profile {

   azure_policy {

     enabled = false

   }
 }
}
Positive test num. 2 - tf file
resource "azurerm_kubernetes_cluster" "positive2" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  azure_policy_enabled = false
}
Positive test num. 3 - tf file
resource "azurerm_kubernetes_cluster" "positive3" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  addon_profile {}
}

Positive test num. 4 - tf file
resource "azurerm_kubernetes_cluster" "positive4" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "azurerm_kubernetes_cluster" "negative" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  addon_profile {

   azure_policy {

     enabled = true

   }
 }
}
Negative test num. 2 - tf file
resource "azurerm_kubernetes_cluster" "negative" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  azure_policy_enabled = true
}