Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set default values to a secure value - Azure Kubernetes Services #785

Closed
3 of 18 tasks
elbatane opened this issue Dec 9, 2021 · 1 comment · Fixed by #1593
Closed
3 of 18 tasks

Set default values to a secure value - Azure Kubernetes Services #785

elbatane opened this issue Dec 9, 2021 · 1 comment · Fixed by #1593
Labels
[cat] modules category: modules enhancement New feature or request [prio] high importance of the issue: high priority

Comments

@elbatane
Copy link
Contributor

elbatane commented Dec 9, 2021
edited by AlexanderSehr
Loading

All default values should comply with a security baseline, e.g. NIST 800

The build-in policies of Azure can be used as a reference.

The task would be to scan over each of the following policies and make sure, that the module is per default complying to them.

The following policies are the NIST 800 ones:

  • \built-in-policies\policyDefinitions\Kubernetes\AKS_AzurePolicyAddOn_Audit.json
  • \built-in-policies\policyDefinitions\Kubernetes\AKS_CMK_Deny.json
  • \built-in-policies\policyDefinitions\Kubernetes\AKS_EncryptionAtHost_Deny.json
  • \built-in-policies\policyDefinitions\Kubernetes\AllowedHostPaths.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\AllowedUsersGroups.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json
    • On-Premise?
  • \built-in-policies\policyDefinitions\Kubernetes\BlockHostNamespace.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\ContainerAllowedCapabilities.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\ContainerAllowedImages.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\ContainerAllowedPorts.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\ContainerNoPrivilege.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\ContainerNoPrivilegeEscalation.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\ContainerResourceLimits.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\EnforceAppArmorProfile.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\HostNetworkPorts.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\IngressHttpsOnly.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\ReadOnlyRootFileSystem.json
    • Cluster internal?
  • \built-in-policies\policyDefinitions\Kubernetes\ServiceAllowedPorts.json
    • Cluster internal?
@elbatane elbatane added enhancement New feature or request [prio] high importance of the issue: high priority [cat] modules category: modules labels Dec 9, 2021
@rahalan rahalan added this to the v 0.4 milestone Dec 9, 2021
@rahalan rahalan modified the milestones: v 0.4, v 0.5 Feb 21, 2022
@rahalan rahalan removed this from the v 0.5 milestone Mar 30, 2022
@AlexanderSehr AlexanderSehr linked a pull request Jun 25, 2022 that will close this issue
[Modules] AKS: Updated secure defaults #1593
Merged
10 tasks
@AlexanderSehr
Copy link
Contributor

I guess most policies can be ignored as they require deployments onto the cluster?

@rahalan rahalan moved this to Done in Backlog Dec 11, 2022
@rahalan rahalan added this to Backlog Dec 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
[cat] modules category: modules enhancement New feature or request [prio] high importance of the issue: high priority
Projects
Backlog
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Modules] AKS: Updated secure defaults Azure/ResourceModules
4 participants
@AlexanderSehr @elbatane @elanzel @rahalan