Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: Azure Kubernetes Service (AKS) Benchmark Scan #21

Closed
ejohn20 opened this issue Mar 1, 2019 · 1 comment
Closed

Question: Azure Kubernetes Service (AKS) Benchmark Scan #21

ejohn20 opened this issue Mar 1, 2019 · 1 comment

Comments

@ejohn20
Copy link

ejohn20 commented Mar 1, 2019
edited
Loading

I am looking at running this InSpec profile against the Azure Kubernetes Service, however I'm not sure this is actually possible. I looked at a different (closed) issue, and it states that we need to run this scan against the master/worker nodes.

However, based on the AKS documentation, I do not believe that we have access to the master. There documentation states this:

AKS provides a single-tenant cluster master, with a dedicated API server, Scheduler, etc. You define the number and size of the nodes, and the Azure platform configures the secure communication between the cluster master and nodes. Interaction with the cluster master occurs through Kubernetes APIs, such as kubectl or the Kubernetes dashboard.

This managed cluster master means that you do not need to configure components like a highly available etcd store, but it also means that you cannot access the cluster master directly. Upgrades to Kubernetes are orchestrated through the Azure CLI or Azure portal, which upgrades the cluster master and then the nodes.

In AKS, the Kubernetes master components are part of the managed service provided by Microsoft. Each AKS cluster has their own single-tenanted, dedicated Kubernetes master to provide the API Server, Scheduler, etc. This master is managed and maintained by Microsoft

Based on the above, we have access to the API Server endpoint and access via kubectl.

I'm curious if you know of a way to run the benchmark in this setup against the applicable checks?

Reference:
https://docs.microsoft.com/en-us/azure/aks/concepts-clusters-workloads#cluster-master
@rarenerd
Copy link
Collaborator

rarenerd commented Mar 4, 2019

Hi Eric,

As AKS manages the various Kubernetes components for you it's not possible to run this benchmark against their platform. To test for CIS compliancy with this profile you'll need access to either the running process or the configuration on the system. Both are restricted.

The few checks that can be run against the API are not automated in this profile at the time, as they require manual inspection anyway.

I think your best option is to check with your Microsoft rep on whether they provide any other options to verify or any guarantees on CIS compliance.

Regards,

Kristian

@rarenerd rarenerd closed this as completed Mar 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rarenerd @ejohn20