Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckConfiguredNetworkPolicy = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0043", Provider: providers.AzureProvider, Service: "container", ShortCode: "configured-network-policy", Summary: "Ensure AKS cluster has Network Policy configured", Impact: "No network policy is protecting the AKS cluster", Resolution: "Configure a network policy", Explanation: `The Kubernetes object type NetworkPolicy should be defined to have opportunity allow or block traffic to pods, as in a Kubernetes cluster configured with default settings, all pods can discover and communicate with each other without any restrictions.`, Links: []string{ "https://kubernetes.io/docs/concepts/services-networking/network-policies", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformConfiguredNetworkPolicyGoodExamples, BadExamples: terraformConfiguredNetworkPolicyBadExamples, Links: terraformConfiguredNetworkPolicyLinks, RemediationMarkdown: terraformConfiguredNetworkPolicyRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.Azure.Container.KubernetesClusters { if cluster.NetworkProfile.NetworkPolicy.IsEmpty() { results.Add( "Kubernetes cluster does not have a network policy set.", cluster.NetworkProfile.NetworkPolicy, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckLimitAuthorizedIps = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0041", Provider: providers.AzureProvider, Service: "container", ShortCode: "limit-authorized-ips", Summary: "Ensure AKS has an API Server Authorized IP Ranges enabled", Impact: "Any IP can interact with the API server", Resolution: "Limit the access to the API server to a limited IP range", Explanation: `The API server is the central way to interact with and manage a cluster. To improve cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformLimitAuthorizedIpsGoodExamples, BadExamples: terraformLimitAuthorizedIpsBadExamples, Links: terraformLimitAuthorizedIpsLinks, RemediationMarkdown: terraformLimitAuthorizedIpsRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.Azure.Container.KubernetesClusters { if cluster.Metadata.IsUnmanaged() { continue } if cluster.EnablePrivateCluster.IsTrue() { continue } if len(cluster.APIServerAuthorizedIPRanges) == 0 { results.Add( "Cluster does not limit API access to specific IP addresses.", cluster.EnablePrivateCluster, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckLogging = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0040", Provider: providers.AzureProvider, Service: "container", ShortCode: "logging", Summary: "Ensure AKS logging to Azure Monitoring is Configured", Impact: "Logging provides valuable information about access and usage", Resolution: "Enable logging for AKS", Explanation: `Ensure AKS logging to Azure Monitoring is configured for containers to monitor the performance of workloads.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-onboard", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformLoggingGoodExamples, BadExamples: terraformLoggingBadExamples, Links: terraformLoggingLinks, RemediationMarkdown: terraformLoggingRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.Azure.Container.KubernetesClusters { if cluster.Metadata.IsUnmanaged() { continue } if cluster.AddonProfile.OMSAgent.Enabled.IsFalse() { results.Add( "Cluster does not have logging enabled via OMS Agent.", cluster.AddonProfile.OMSAgent.Enabled, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckUseRbacPermissions = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0042", Provider: providers.AzureProvider, Service: "container", ShortCode: "use-rbac-permissions", Summary: "Ensure RBAC is enabled on AKS clusters", Impact: "No role based access control is in place for the AKS cluster", Resolution: "Enable RBAC", Explanation: `Using Kubernetes role-based access control (RBAC), you can grant users, groups, and service accounts access to only the resources they need.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/aks/concepts-identity", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformUseRbacPermissionsGoodExamples, BadExamples: terraformUseRbacPermissionsBadExamples, Links: terraformUseRbacPermissionsLinks, RemediationMarkdown: terraformUseRbacPermissionsRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.Azure.Container.KubernetesClusters { if cluster.Metadata.IsUnmanaged() { continue } if cluster.RoleBasedAccessControl.Enabled.IsFalse() { results.Add( "Cluster has RBAC disabled", cluster.RoleBasedAccessControl.Enabled, ) } else { results.AddPassed(&cluster) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.