You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/concepts-security.md
+19-13Lines changed: 19 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn about security in Azure Kubernetes Service (AKS), including m
4
4
services: container-service
5
5
author: miwithro
6
6
ms.topic: conceptual
7
-
ms.date: 01/20/2022
7
+
ms.date: 02/28/2023
8
8
ms.author: miwithro
9
9
---
10
10
@@ -15,7 +15,8 @@ Container security protects the entire end-to-end pipeline from build to the app
15
15
The Secure Supply Chain includes the build environment and registry.
16
16
17
17
Kubernetes includes security components, such as *pod security standards* and *Secrets*. Meanwhile, Azure includes components like Active Directory, Microsoft Defender for Containers, Azure Policy, Azure Key Vault, network security groups and orchestrated cluster upgrades. AKS combines these security components to:
18
-
* Provide a complete Authentication and Authorization story.
18
+
19
+
* Provide a complete authentication and authorization story.
19
20
* Leverage AKS Built-in Azure Policy to secure your applications.
20
21
* End-to-End insight from build through your application with Microsoft Defender for Containers.
21
22
* Keep your AKS cluster running the latest OS security updates and Kubernetes releases.
@@ -39,23 +40,24 @@ This article introduces the core concepts that secure your applications in AKS:
39
40
40
41
## Build Security
41
42
42
-
As the entry point for the Supply Chain, it is important to conduct static analysis of image builds before they are promoted down the pipeline. This includes vulnerability and compliance assessment. It is not about failing a build because it has a vulnerability, as that will break development. It is about looking at the "Vendor Status" to segment based on vulnerabilities that are actionable by the development teams. Also leverage "Grace Periods" to allow developers time to remediate identified issues.
43
+
As the entry point for the Supply Chain, it is important to conduct static analysis of image builds before they are promoted down the pipeline. This includes vulnerability and compliance assessment. It is not about failing a build because it has a vulnerability, as that will break development. It is about looking at the "Vendor Status" to segment based on vulnerabilities that are actionable by the development teams. Also leverage "Grace Periods" to allow developers time to remediate identified issues.
43
44
44
45
## Registry Security
45
46
46
47
Assessing the vulnerability state of the image in the Registry will detect drift and will also catch images that didn't come from your build environment. Use [Notary V2](https://github.com/notaryproject/notaryproject) to attach signatures to your images to ensure deployments are coming from a trusted location.
47
48
48
49
## Cluster security
49
50
50
-
In AKS, the Kubernetes master components are part of the managed service provided, managed, and maintained by Microsoft. Each AKS cluster has its own single-tenanted, dedicated Kubernetes master to provide the API Server, Scheduler, etc.
51
+
In AKS, the Kubernetes master components are part of the managed service provided, managed, and maintained by Microsoft. Each AKS cluster has its own single-tenanted, dedicated Kubernetes master to provide the API Server, Scheduler, etc. For information on how Microsoft manages security vulnerabilities and details about releasing security updates for managed pars of an AKS clusters, see [Vulnerability management for Azure Kubernetes Service][microsoft-vulnerability-management-aks].
51
52
52
53
By default, the Kubernetes API server uses a public IP address and a fully qualified domain name (FQDN). You can limit access to the API server endpoint using [authorized IP ranges][authorized-ip-ranges]. You can also create a fully [private cluster][private-clusters] to limit API server access to your virtual network.
53
54
54
55
You can control access to the API server using Kubernetes role-based access control (Kubernetes RBAC) and Azure RBAC. For more information, see [Azure AD integration with AKS][aks-aad].
55
56
56
57
## Node security
57
58
58
-
AKS nodes are Azure virtual machines (VMs) that you manage and maintain.
59
+
AKS nodes are Azure virtual machines (VMs) that you manage and maintain.
60
+
59
61
* Linux nodes run an optimized Ubuntu distribution using the `containerd` or Docker container runtime.
60
62
* Windows Server nodes run an optimized Windows Server 2019 release using the `containerd` or Docker container runtime.
61
63
@@ -78,12 +80,15 @@ Nightly updates apply security updates to the OS on the node, but the node image
78
80
For Windows Server nodes, Windows Update doesn't automatically run and apply the latest updates. Schedule Windows Server node pool upgrades in your AKS cluster around the regular Windows Update release cycle and your own validation process. This upgrade process creates nodes that run the latest Windows Server image and patches, then removes the older nodes. For more information on this process, see [Upgrade a node pool in AKS][nodepool-upgrade].
79
81
80
82
### Node authorization
83
+
81
84
Node authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets to protect against East-West attacks. Node authorization is enabled by default on AKS 1.24 + clusters.
82
85
83
86
### Node deployment
87
+
84
88
Nodes are deployed into a private virtual network subnet, with no public IP addresses assigned. For troubleshooting and management purposes, SSH is enabled by default and only accessible using the internal IP address.
85
89
86
90
### Node storage
91
+
87
92
To provide storage, the nodes use Azure Managed Disks. For most VM node sizes, Azure Managed Disks are Premium disks backed by high-performance SSDs. The data stored on managed disks is automatically encrypted at rest within the Azure platform. To improve redundancy, Azure Managed Disks are securely replicated within the Azure datacenter.
88
93
89
94
### Hostile multi-tenant workloads
@@ -108,7 +113,7 @@ To start the upgrade process, specify one of the [listed available Kubernetes ve
108
113
109
114
During the upgrade process, AKS nodes are individually cordoned from the cluster to prevent new pods from being scheduled on them. The nodes are then drained and upgraded as follows:
110
115
111
-
1.A new node is deployed into the node pool.
116
+
1. A new node is deployed into the node pool.
112
117
* This node runs the latest OS image and patches.
113
118
1. One of the existing nodes is identified for upgrade.
114
119
1. Pods on the identified node are gracefully terminated and scheduled on the other nodes in the node pool.
@@ -135,18 +140,18 @@ To limit network traffic between pods in your cluster, AKS offers support for [K
135
140
136
141
To protect pods running on AKS leverage [Microsoft Defender for Containers][microsoft-defender-for-containers] to detect and restrict cyber attacks against your applications running in your pods. Run continual scanning to detect drift in the vulnerability state of your application and implement a "blue/green/canary" process to patch and replace the vulnerable images.
137
142
138
-
139
143
## Kubernetes Secrets
140
144
141
-
With a Kubernetes *Secret*, you inject sensitive data into pods, such as access credentials or keys.
142
-
1. Create a Secret using the Kubernetes API.
143
-
1. Define your pod or deployment and request a specific Secret.
145
+
With a Kubernetes *Secret*, you inject sensitive data into pods, such as access credentials or keys.
146
+
147
+
1. Create a Secret using the Kubernetes API.
148
+
1. Define your pod or deployment and request a specific Secret.
144
149
* Secrets are only provided to nodes with a scheduled pod that requires them.
145
-
* The Secret is stored in *tmpfs*, not written to disk.
146
-
1. When you delete the last pod on a node requiring a Secret, the Secret is deleted from the node's tmpfs.
150
+
* The Secret is stored in *tmpfs*, not written to disk.
151
+
1. When you delete the last pod on a node requiring a Secret, the Secret is deleted from the node's tmpfs.
147
152
* Secrets are stored within a given namespace and can only be accessed by pods within the same namespace.
148
153
149
-
Using Secrets reduces the sensitive information defined in the pod or service YAML manifest. Instead, you request the Secret stored in Kubernetes API Server as part of your YAML manifest. This approach only provides the specific pod access to the Secret.
154
+
Using Secrets reduces the sensitive information defined in the pod or service YAML manifest. Instead, you request the Secret stored in Kubernetes API Server as part of your YAML manifest. This approach only provides the specific pod access to the Secret.
150
155
151
156
> [!NOTE]
152
157
> The raw secret manifest files contain the secret data in base64 format (see the [official documentation][secret-risks] for more details). Treat these files as sensitive information, and never commit them to source control.
@@ -194,3 +199,4 @@ For more information on core Kubernetes and AKS concepts, see:
0 commit comments