feat: Add AKS Queries

Author: GeekMasher

ql/src/security/CWE-284/AKSPublicNetworkAccess.md

@@ -0,0 +1,67 @@
+# AKS cluster with public network access enabled
+
+Azure Kubernetes Service (AKS) clusters with public network access enabled can be accessed from any public IP address, which may expose the cluster to potential attackers on the internet.
+
+## Problem statement
+
+When public network access is enabled on an AKS cluster (which is the default setting), the Kubernetes API server is accessible from the internet. This increases the attack surface of the cluster and makes it vulnerable to various attacks including brute force attempts, exploitation of known vulnerabilities, and unauthorized access attempts.
+
+## Recommendation
+
+Disable public network access by setting the `publicNetworkAccess` property to `'Disabled'` and enable private cluster access using `apiServerAccessProfile.enablePrivateCluster` set to `true`. This ensures that the Kubernetes API server is only accessible from within your virtual network.
+
+```bicep
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'secureAksCluster'
+  location: location
+  properties: {
+    // Other properties...
+    publicNetworkAccess: 'Disabled'
+    apiServerAccessProfile: {
+      enablePrivateCluster: true
+    }
+    // Other properties...
+  }
+}
+```
+
+## Example
+
+### Insecure configuration (Public network access enabled)
+
+```bicep
+resource aksClusterInsecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterInsecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    publicNetworkAccess: 'Enabled' // Insecure: Public network access is enabled
+    // Default with no apiServerAccessProfile is also insecure
+    // Other properties...
+  }
+}
+```
+
+### Secure configuration (Public network access disabled)
+
+```bicep
+resource aksClusterSecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterSecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    publicNetworkAccess: 'Disabled' // Secure: Public network access is disabled
+    apiServerAccessProfile: {
+      enablePrivateCluster: true // Secure: Private cluster is enabled
+    }
+    // Other properties...
+  }
+}
+```
+
+## References
+
+* [Azure Kubernetes Service (AKS) network concepts](https://learn.microsoft.com/en-us/azure/aks/concepts-network)
+* [Create a private AKS cluster](https://learn.microsoft.com/en-us/azure/aks/private-clusters)

ql/src/security/CWE-284/AKSPublicNetworkAccess.ql

@@ -0,0 +1,33 @@
+/**
+ * @name AKS cluster with public network access enabled
+ * @description Detects Azure Kubernetes Service (AKS) clusters with public network access enabled, which can expose the cluster to potential unauthorized access.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 6.5
+ * @precision high
+ * @id bicep/aks-public-network-access
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-284
+ */
+
+import codeql.bicep.frameworks.Microsoft.AKS
+
+from AKS::ManagedContainerResource resource, AKS::ManagedContainerProperties::Properties properties
+where
+  properties = resource.getProperties() and
+  (
+    (
+      exists(properties.getPublicNetworkAccess()) and
+      properties.getPublicNetworkAccess().getValue().toLowerCase() = "enabled"
+    ) or
+    not exists(properties.getPublicNetworkAccess()) // Default is "enabled" if not specified
+  ) and
+  // Exclude clusters that have private API server enabled
+  (
+    not exists(properties.getApiServerAccessProfile()) or
+    not exists(properties.getApiServerAccessProfile().getEnablePrivateCluster()) or
+    properties.getApiServerAccessProfile().enablePrivateCluster() = false
+  )
+select resource, "AKS cluster has public network access enabled, which can expose the cluster to unauthorized access."

ql/src/security/CWE-284/AKSRbacDisabled.md

@@ -0,0 +1,60 @@
+# AKS cluster with RBAC disabled
+
+Azure Kubernetes Service (AKS) clusters should have Role-Based Access Control (RBAC) enabled to properly restrict access to cluster resources based on user roles and permissions.
+
+## Problem statement
+
+When RBAC is disabled in AKS, anyone with access to the cluster can potentially perform any action on any resource within the cluster. This creates a significant security vulnerability as there's no fine-grained access control to protect sensitive operations.
+
+## Recommendation
+
+Always enable RBAC for AKS clusters by setting `enableRBAC` to `true` in your Bicep template:
+
+```bicep
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'secureAksCluster'
+  location: location
+  properties: {
+    // Other properties...
+    enableRBAC: true
+    // Other properties...
+  }
+}
+```
+
+## Example
+
+### Insecure configuration (RBAC disabled)
+
+```bicep
+resource aksClusterInsecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterInsecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    enableRBAC: false // Insecure: RBAC is disabled
+    // Other properties...
+  }
+}
+```
+
+### Secure configuration (RBAC enabled)
+
+```bicep
+resource aksClusterSecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterSecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    enableRBAC: true // Secure: RBAC is enabled
+    // Other properties...
+  }
+}
+```
+
+## References
+
+* [Azure Kubernetes Service RBAC](https://learn.microsoft.com/en-us/azure/aks/concepts-identity#kubernetes-rbac)
+* [Security best practices for AKS](https://learn.microsoft.com/en-us/azure/aks/security-best-practices)

ql/src/security/CWE-284/AKSRbacDisabled.ql

@@ -0,0 +1,25 @@
+/**
+ * @name AKS cluster with RBAC disabled
+ * @description Detects Azure Kubernetes Service (AKS) clusters where RBAC is disabled, which can lead to unauthorized access to the cluster.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id bicep/aks-rbac-disabled
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-284
+ */
+
+import codeql.bicep.frameworks.Microsoft.AKS
+
+from AKS::ManagedContainerResource resource, AKS::ManagedContainerProperties::Properties properties
+where
+  properties = resource.getProperties() and
+  (
+    // RBAC is explicitly disabled
+    exists(properties.getEnableRBAC()) and
+    properties.getEnableRBAC().getBool() = false
+  )
+select resource, "AKS cluster has RBAC disabled, which can lead to unauthorized access to the cluster."

ql/src/security/CWE-306/AKSLocalAccountsEnabled.md

@@ -0,0 +1,74 @@
+# AKS cluster with local accounts enabled
+
+Azure Kubernetes Service (AKS) clusters should have local Kubernetes accounts disabled in favor of Azure Active Directory (Azure AD) integration for stronger authentication controls.
+
+## Problem statement
+
+When local accounts are enabled in AKS clusters:
+
+1. Authentication relies on locally stored credentials rather than centralized Azure AD identities
+2. User access management is more manual and error-prone
+3. Central audit and monitoring of access is more difficult
+4. Advanced security features like Conditional Access policies cannot be applied
+
+## Recommendation
+
+Disable local accounts in AKS clusters by setting `disableLocalAccounts` to `true` and configure Azure AD integration:
+
+```bicep
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'secureAksCluster'
+  location: location
+  properties: {
+    // Other properties...
+    disableLocalAccounts: true
+    aadProfile: {
+      managed: true
+      enableAzureRBAC: true
+    }
+    // Other properties...
+  }
+}
+```
+
+## Example
+
+### Insecure configuration (Local accounts enabled)
+
+```bicep
+resource aksClusterInsecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterInsecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    disableLocalAccounts: false // Insecure: Local accounts are explicitly enabled
+    // Or omitting disableLocalAccounts entirely (defaults to false)
+    // Other properties...
+  }
+}
+```
+
+### Secure configuration (Local accounts disabled)
+
+```bicep
+resource aksClusterSecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterSecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    disableLocalAccounts: true // Secure: Local accounts are disabled
+    aadProfile: {
+      managed: true
+      enableAzureRBAC: true
+    }
+    // Other properties...
+  }
+}
+```
+
+## References
+
+* [Use Azure AD with AKS](https://learn.microsoft.com/en-us/azure/aks/managed-aad)
+* [AKS best practices for authentication and authorization](https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-identity)

ql/src/security/CWE-306/AKSLocalAccountsEnabled.ql

@@ -0,0 +1,24 @@
+/**
+ * @name AKS cluster with local accounts enabled
+ * @description Detects Azure Kubernetes Service (AKS) clusters with local accounts enabled, which can lead to weaker authentication controls.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id bicep/aks-local-accounts-enabled
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-306
+ */
+
+import codeql.bicep.frameworks.Microsoft.AKS
+
+from AKS::ManagedContainerResource resource, AKS::ManagedContainerProperties::Properties properties
+where
+  properties = resource.getProperties() and
+  (
+    not exists(properties.getDisableLocalAccounts()) or
+    properties.getDisableLocalAccounts().getBool() = false
+  )
+select resource, "AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication."

ql/src/security/CWE-311/AKSWithoutDiskEncryption.md

@@ -0,0 +1,78 @@
+# AKS cluster without disk encryption
+
+Azure Kubernetes Service (AKS) clusters should utilize disk encryption to protect sensitive data at rest. Without disk encryption, data stored on node disks could be vulnerable to unauthorized access if the storage is compromised.
+
+## Problem statement
+
+When an AKS cluster is configured without disk encryption:
+
+1. Node VM disks including OS disks and data disks could store data in an unencrypted format
+2. In case of physical theft, hardware decommissioning, or improper disk handling, sensitive data might be exposed
+3. Security and compliance requirements (like HIPAA, PCI DSS, or GDPR) may be violated
+4. If a node is compromised, an attacker may be able to access data directly from the disk
+
+## Recommendation
+
+Configure disk encryption for your AKS cluster by setting a disk encryption set ID:
+
+```bicep
+resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = {
+  name: 'myDiskEncryptionSet'
+  location: location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    activeKey: {
+      keyUrl: keyVault.getSecret('encryptionKey').id
+    }
+  }
+}
+
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'secureAksCluster'
+  location: location
+  properties: {
+    // Other properties...
+    diskEncryptionSetID: diskEncryptionSet.id
+    // Other properties...
+  }
+}
+```
+
+## Example
+
+### Insecure configuration (No disk encryption)
+
+```bicep
+resource aksClusterInsecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterInsecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    // Missing diskEncryptionSetID
+    // Other properties...
+  }
+}
+```
+
+### Secure configuration (With disk encryption)
+
+```bicep
+resource aksClusterSecure 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+  name: 'aksClusterSecure'
+  location: location
+  properties: {
+    kubernetesVersion: '1.24.9'
+    dnsPrefix: 'aksdns'
+    diskEncryptionSetID: diskEncryptionSet.id // Secure: Using disk encryption
+    // Other properties...
+  }
+}
+```
+
+## References
+
+* [Azure Disk Encryption for AKS clusters](https://learn.microsoft.com/en-us/azure/aks/azure-disk-customer-managed-keys)
+* [Data encryption in AKS](https://learn.microsoft.com/en-us/azure/aks/concepts-data-encryption)

ql/src/security/CWE-311/AKSWithoutDiskEncryption.ql

@@ -0,0 +1,22 @@
+/**
+ * @name AKS cluster without disk encryption
+ * @description Detects Azure Kubernetes Service (AKS) clusters without disk encryption, which can expose sensitive data.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 6.0
+ * @precision high
+ * @id bicep/aks-without-disk-encryption
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-311
+ */
+
+import codeql.bicep.frameworks.Microsoft.AKS
+import bicep
+
+from AKS::ManagedContainerResource resource, AKS::ManagedContainerProperties::Properties properties
+where
+  properties = resource.getProperties() and
+  not exists(properties.getDiskEncryptionSetID())
+select resource, "AKS cluster is configured without disk encryption, which can expose sensitive data at rest."