Protect your Kubernetes workloads

02/16/2021
5 minutter å lese

This page describes how to use Azure Security Center's set of security recommendations dedicated to Kubernetes workload protection.

Learn more about these features in Workload protection best-practices using Kubernetes admission control

Security Center offers more container security features if you enable Azure Defender. Specifically:

Scan your container registries for vulnerabilities with Azure Defender for container registries
Get real-time threat detection alerts for your K8s clusters Azure Defender for Kubernetes

Tip

For a list of all security recommendations that might appear for Kubernetes clusters and nodes, see the compute section of the recommendations reference table.

Availability

Aspect	Details
Release state:	General Availability (GA)
Pricing:	Free
Required roles and permissions:	Owner or Security admin to edit an assignment Reader to view the recommendations
Environment requirements:	Kubernetes v1.14 (or higher) is required No PodSecurityPolicy resource (old PSP model) on the clusters Windows nodes are not supported
Clouds:	Commercial clouds National/Sovereign (US Gov, China Gov, Other Gov)

Set up your workload protection

Azure Security Center includes a bundle of recommendations that are available when you've installed the Azure Policy add-on for Kubernetes.

Step 1: Deploy the add-on

To configure the recommendations, install the Azure Policy add-on for Kubernetes.

You can auto deploy this add-on as explained in Enable auto provisioning of the Log Analytics agent and extensions. When auto provisioning for the add-on is set to "on", the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).
To manually deploy the add-on:
1. From the recommendations page, search for the recommendation "Azure Policy add-on for Kubernetes should be installed and enabled on your clusters".
  
  Tip
  
  The recommendation is included in five different security controls and it doesn't matter which one you select in the next step.
2. From any of the security controls, select the recommendation to see the resources on which you can install the add-on.
3. Select the relevant cluster, and Remediate.

Step 2: View and configure the bundle of 13 recommendations

Approximately 30 minutes after the add-on installation completes, Security Center shows the clusters’ health status for the following recommendations, each in the relevant security control as shown:

Tip

Some recommendations have parameters that must be customized via Azure Policy to use them effectively. For example, to benefit from the recommendation Container images should be deployed only from trusted registries, you'll have to define your trusted registries.

If you don't enter the necessary parameters for the recommendations that require configuration, your workloads will be shown as unhealthy.

Recommendation name	Security control	Configuration required
Container CPU and memory limits should be enforced	Protect applications against DDoS attack	No
Privileged containers should be avoided	Manage access and permissions	No
Immutable (read-only) root filesystem should be enforced for containers	Manage access and permissions	No
Container with privilege escalation should be avoided	Manage access and permissions	No
Running containers as root user should be avoided	Manage access and permissions	No
Containers sharing sensitive host namespaces should be avoided	Manage access and permissions	No
Least privileged Linux capabilities should be enforced for containers	Manage access and permissions	Yes
Usage of pod HostPath volume mounts should be restricted to a known list	Manage access and permissions	Yes
Containers should listen on allowed ports only	Restrict unauthorized network access	Yes
Services should listen on allowed ports only	Restrict unauthorized network access	Yes
Usage of host networking and ports should be restricted	Restrict unauthorized network access	Yes
Overriding or disabling of containers AppArmor profile should be restricted	Remediate security configurations	Yes
Container images should be deployed only from trusted registries	Remediate vulnerabilities	Yes

For the recommendations with parameters must be customized, set the parameters:
1. From Security Center's menu, select Security policy.
2. Select the relevant subscription.
3. From the Security Center default policy section, select View effective policy.
4. Select "ASC Default".
5. Open the Parameters tab and modify the values as required.
6. Select Review + save.
7. Select Save.
To enforce any of the recommendations,
1. Open the recommendation details page and select Deny:
  
  This will open the pane where you set the scope.
2. When you've set the scope, select Change to deny.
To see which recommendations apply to your clusters:
1. Open Security Center's asset inventory page and use the resource type filter to Kubernetes services.
2. Select a cluster to investigate and review the available recommendations available for it.
When viewing a recommendation from the workload protection set, you'll see the number of affected pods ("Kubernetes components") listed alongside the cluster. For a list of the specific pods, select the cluster and then select Take action.
To test the enforcement, use the two Kubernetes deployments below:
- One is for a healthy deployment, compliant with the bundle of workload protection recommendations.
- The other is for an unhealthy deployment, non-compliant with any of the recommendations.
Deploy the example .yaml files as-is, or use them as a reference to remediate your own workload (step VIII)

Healthy deployment example .yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis-healthy-deployment
  labels:
    app: redis
spec:
  replicas: 3
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
      annotations:
        apparmor.security.beta.kubernetes.io/pod: runtime/default
        container.apparmor.security.beta.kubernetes.io/redis: runtime/default
    spec:
      containers:
      - name: redis
        image: healthyClusterRegistry.azurecr.io/redis:latest
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: 100m
            memory: 250Mi
        securityContext:
          privileged: false
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 1000
---
apiVersion: v1
kind: Service
metadata:
  name: redis-healthy-service
spec:
  type: LoadBalancer
  selector:
    app: redis
  ports:
  - port: 80
    targetPort: 80

Unhealthy deployment example .yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-unhealthy-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:      
      labels:
        app: nginx
    spec:
      hostNetwork: true
      hostPID: true 
      hostIPC: true
      containers:
      - name: nginx
        image: nginx:1.15.2
        ports:
        - containerPort: 9001
          hostPort: 9001
        securityContext:
          privileged: true
          readOnlyRootFilesystem: false
          allowPrivilegeEscalation: true
          runAsUser: 0
          capabilities:
            add:
              - NET_ADMIN
        volumeMounts:
        - mountPath: /test-pd
          name: test-volume
          readOnly: true
      volumes:
      - name: test-volume
        hostPath:
          # directory location on host
          path: /tmp
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-unhealthy-service
spec:
  type: LoadBalancer
  selector:
    app: nginx
  ports:
  - port: 6001
    targetPort: 9001

Next steps

In this article, you learned how to configure Kubernetes workload protection.

For other related material, see the following pages: