Azure Kubernetes Services (AKS) uses the Kubernetes policy templates listed in Policy Templates for Container Security. The pertinent templates use the prefix AKS.
MVISION Cloud supports the CIS Kubernetes Benchmark v1.4.1-07-17-2019 specification for auditing CSP managed clusters.
For AKS clusters, make sure the API server endpoint is enabled for public access. (This is the default setting.)
If public access is restricted to the limited IP address for security reasons, then you must add the MVISION Cloud source IP address to the filter to allow access. Clusters enabled with private access cannot be audited by MVISION Cloud. For details, see Whitelist IP Addresses for IaaS.
To obtain Kubelet configuration of cluster nodes in a subscription, MVISION Cloud Kubernetes worker node and PSP policies require the following roles:
- Azure Kubernetes Service Cluster Admin Role
- Reader and Data Access
Azure does not expose any methods to obtain some of the AKS cluster control plane configurations or arguments dynamically. These configuration values are relevant to evaluate some of the AKS Master node policies such as API Server, Controller Manager, and Scheduler.
For this reason, all AKS clusters (regardless of version) for these policies are displayed based on the default values published by Azure in Cluster Definitions.
If you have configured AKS with values other than the defaults, then the policy evaluations might not be correct. This limitation is not applicable to PSP and Kubelet server (worker node) policies.