AKS

AKS – Ensure public load balancer creation is audited or denied on Azure Kubernetes

Many use cases of Azure Kubernetes Service are based on running an private AKS cluster that exposes services only via Web Application Firewall (such as Azure Application Gateway), or exposes services only internally.

Auditing / and or denying creation of public load balancers ensures that the governance principle for the particular AKS instance followed.

ControlId Ensure public load balancer creation is audited or denied

Exhibits

Example of Public Load Balancer resource
Prevent creation of load balancer with Public IP with Azure Policy
Audit successful creations of public load balancers with public IP

Check the control from log analytics

//adjust the time if needed 
AzureDiagnostics
| where TimeGenerated > now()-240m
| where Category == "kube-audit"
| extend l= parse_json(log_s)
| where l.responseObject contains "loadBalancer"
| extend ingress = parse_json(l.responseObject.status).loadBalancer.ingress
| where isnotempty(ingress)
 | mv-apply ingress.ip on   (
   summarize countif(ipv4_is_private(tostring(ingress_ip)))
    | where countif_ == 0| extend isPublicIP = "True"
) 
| project-away countif_, log_s
| distinct tostring(ingress), isPublicIP, tostring(l.responseObject.spec)


References

Source: https://aka.ms/kubepolicydoc.

PolicyDescription
Kubernetes clusters should use internal load balancersUse internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Blog related to Azure Policy

https://blog.nillsf.com/index.php/2021/05/12/block-public-load-balancers-on-azure-kubernetes-service-using-azure-policy/

KQL example

https://stackoverflow.com/questions/68564324/filter-ips-if-they-are-in-list-of-range

0 comments on “AKS – Ensure public load balancer creation is audited or denied on Azure Kubernetes

Vastaa

Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

WordPress.com-logo

Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )

Google photo

Olet kommentoimassa Google -tilin nimissä. Log Out /  Muuta )

Twitter-kuva

Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )

Facebook-kuva

Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: