Ensure network policy is configured for Azure Kubernetes Cluster

MEDIUM

Description

Using incorrect network policy for Azure Kubernetes Cluster may lead to compromised infrastructure.

Remediation

The network profile of an AKS cluster cannot be changed once it has been created. To create a new resource with the appropriate settings, follow the steps below.

In Azure Console -

Open the Azure Portal and go to Kubernetes Services.
Click the Create button and select Create a Kubernetes Cluster.
Configure as needed. On the Networking tab, under Security, set the Network Policy to either Azure or Calico.

In Terraform -

In the azurerm_kubernetes_cluster resource, add a network_profile block.
Set the field network_profile.network_policy field to either azure or calico.

References:
https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster

Policy Details

Rule Reference ID: AC_AZURE_0158

CSP: Azure

Remediation Available: No

Domain: Infrastructure Security

Resource: azurerm_kubernetes_cluster

Resource Category: Compute

Resource Type: Azure Kubernetes Service (AKS)

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
SOC2