feat: Add security queries for AKS configurations and tests

Author: GeekMasher

ql/lib/codeql/bicep/frameworks/Microsoft/AKS.qll

@@ -295,6 +295,10 @@ module AKS {
        */
       Boolean getEnabled() { result = this.getProperty("enabled") }
 
+      boolean enabled() {
+        result = this.getEnabled().getBool()
+      }
+
       string toString() { result = "AddonKubeDashboard" }
     }
 

ql/src/security/AKS/AKSKubeDashboardEnabled.ql

@@ -0,0 +1,18 @@
+/**
+ * @name AKS cluster with kubeDashboard enabled
+ * @description Detects Azure Kubernetes Service (AKS) clusters where the kubeDashboard addon is enabled (insecure configuration).
+ * @kind problem
+ * @problem.severity warning
+ * @id bicep/aks-kubedashboard-enabled
+ * @tags security, kubernetes, azure, aks
+ */
+import codeql.bicep.frameworks.Microsoft.AKS
+
+from AKS::ManagedContainerResource r, 
+     AKS::ManagedContainerProperties::AddonProfiles addons, 
+     AKS::ManagedContainerProperties::AddonKubeDashboard dashboard
+where
+  addons = r.getProperties().getAddonProfiles() and
+  dashboard = addons.getKubeDashboard() and
+  dashboard.enabled() = true
+select r, "AKS cluster has kubeDashboard addon enabled (insecure configuration)."

ql/src/security/AKS/AKSPrivateApiEnabled.ql

@@ -0,0 +1,18 @@
+/**
+ * @name AKS cluster with private API server enabled
+ * @description Detects Azure Kubernetes Service (AKS) clusters where the API server is private (private cluster enabled).
+ * @kind problem
+ * @problem.severity recommendation
+ * @id bicep/aks-private-api-server-enabled
+ * @tags security
+ *       kubernetes
+ *       azure
+ */
+import codeql.bicep.frameworks.Microsoft.AKS
+
+from AKS::ManagedContainerResource r, 
+     AKS::ManagedContainerProperties::ApiServerAccessProfile api
+where
+  api = r.getProperties().getApiServerAccessProfile() and
+  api.enablePrivateCluster() = true
+select r, "AKS cluster API server is private (private cluster enabled)."

ql/src/security/AKS/AKSPublicApi.ql

@@ -0,0 +1,22 @@
+/**
+ * @name AKS cluster with public API server
+ * @description Detects Azure Kubernetes Service (AKS) clusters where the API server is publicly accessible (private cluster not enabled).
+ * @kind problem
+ * @problem.severity warning
+ * @id bicep/aks-public-api-server
+ * @tags security
+ *       azure
+ *       kubernetes
+ */
+import bicep
+
+from AKS::ManagedContainerResource r, 
+     AKS::ManagedContainerProperties::ApiServerAccessProfile api
+where
+  api = r.getProperties().getApiServerAccessProfile() and
+  (
+    // enablePrivateCluster is missing or set to false
+    not exists(api.getEnablePrivateCluster()) or
+    api.enablePrivateCluster() = false
+  )
+select r, "AKS cluster API server is publicly accessible (private cluster not enabled)."

ql/test/queries-tests/security/AKS/AKSKubeDashboardEnabled.expected

@@ -0,0 +1 @@
+| aks-security-examples.bicep:2:1:30:1 | ManagedContainerResource | AKS cluster has kubeDashboard addon enabled (insecure configuration). |

ql/test/queries-tests/security/AKS/AKSKubeDashboardEnabled.qlref

@@ -0,0 +1 @@
+security/AKS/AKSKubeDashboardEnabled.ql

ql/test/queries-tests/security/AKS/AKSPrivateApiEnabled.expected

@@ -0,0 +1 @@
+| aks-security-examples.bicep:32:1:62:1 | ManagedContainerResource | AKS cluster API server is private (private cluster enabled). |

ql/test/queries-tests/security/AKS/AKSPrivateApiEnabled.qlref

@@ -0,0 +1 @@
+security/AKS/AKSPrivateApiEnabled.ql

ql/test/queries-tests/security/AKS/AKSPublicApi.expected

@@ -0,0 +1,2 @@
+| aks-security-examples.bicep:2:1:30:1 | ManagedContainerResource | AKS cluster API server is publicly accessible (private cluster not enabled). |
+| aks-security-examples.bicep:32:1:62:1 | ManagedContainerResource | AKS cluster API server is publicly accessible (private cluster not enabled). |

ql/test/queries-tests/security/AKS/AKSPublicApi.qlref

@@ -0,0 +1 @@
+security/AKS/AKSPublicApi.ql