Common Azure Kubernetes (AKS) Misconfigurations and How to Fix Them • ARGOS Cloud Security

Common Azure Kubernetes Services (AKS) Infrastructure Misconfigurations and How to Fix Them

In our past lives we have come across numerous misconfigurations when working with clients on their Azure Kubernetes Services (AKS) infrastructure. These misconfigurations can not only affect the performance and reliability of your applications but also introduce potential security vulnerabilities. In this article, we will detail the most common AKS misconfigurations, explain their security implications, and provide tips on how to detect and fix them using Azure CLI or Resource Graph examples.

Inadequate Control Plane Logging

Insufficient logging in the control plane can make it difficult to troubleshoot and monitor your AKS cluster. By default, AKS does not enable control plane logs. This can be a security vulnerability, as logs are crucial for incident response and forensic analysis.

Detection:

az aks addon show -g myResourceGroup -n myAKSCluster -a monitoring

Fix: Enable control plane logging by deploying the AKS cluster with the monitoring add-on:

az aks enable-addons -a monitoring -n myAKSCluster  -g myResourceGroup

Publicly Exposed API Server

Exposing the AKS API server to the public internet can create security vulnerabilities, as attackers could gain unauthorized access to your cluster’s control plane.

Detection (via Azure Resource Graph Explorer):

resources | where type == "microsoft.containerservice/managedclusters" and isnotempty(properties.apiServerAccessProfile.authorizedIpRanges)

Fix: Restrict access to the API server by specifying authorized IP ranges while creating the AKS cluster:

az aks update --resource-group myResourceGroup --name myAKSCluster --api-server-authorized-ip-ranges ""

Lack of Role-Based Access Control (RBAC)

Not enabling RBAC can lead to unauthorized access to your AKS cluster and its resources. RBAC is essential for ensuring that only authorized users and services can perform specific actions in your cluster, reducing the risk of unauthorized access and data breaches.

Detection (via Azure Resource Graph Explorer):

resources | where type == "microsoft.containerservice/managedclusters" and properties.enableRBAC == false

Fix: Enable RBAC while creating the AKS cluster:

az aks update -g myResourceGroup -n myAKSCluster --enable-azure-rbac

Not Using Private Clusters

By not using a private AKS cluster, you expose your cluster’s control plane and worker nodes to the public internet. This increases the attack surface and can lead to unauthorized access or security breaches.

Detection (via Azure Resource Graph Explorer):

resources | where type == "microsoft.containerservice/managedclusters" and (isnotempty(properties.apiServerAccessProfile) or properties.apiServerAccessProfile.enablePrivateCluster == false)

Fix: This can only be done at creation time.

Next steps

You can take ARGOS for a completely free 14-day trial (no credit card required) using the button below. You can also get in touch with us to organise a one-on-one demo so we can demonstrate how you can find above issues within minutes using ARGOS.