Detections
Analytics

Ensure that Azure policies add-on are used for Azure Kubernetes Cluster

MEDIUM

Description

Azure Kubernetes Cluster does not use Azure policies add-on, this may make infrastructure non-compliant.

Remediation

In Azure Console -
From Policies (includes creating and applying custom policies):

  1. Open the Azure Portal and go to Policy.
  2. Under Authorizing, select Definitions. If you wish to create a policy, select + Policy definition. Once complete, continue below.
  3. In the Category drop down, uncheck Select All, then select Kubernetes.
  4. Choose the policy you wish to assign.
  5. Configure as needed. For more information on the specific criteria, see the Azure documentation.

From Kubernetes (includes enabling the service, then creating and applying custom policies):

  1. Open the Azure Portal and go to Kubernetes Services.
  2. Choose the cluster you wish to edit.
  3. Under Settings, choose Policies.
  4. Select Enable Add-on (this will take several minutes).
  5. Once you see the box noting that it is enabled, click go to Azure Policy.
  6. Create and apply policies as needed.

In Terraform -
For current Azure Provider versions:

  1. In the azurerm_kubernetes_cluster resource, set the field azure_policy_enabled to true.

For Azure Provider versions prior to 2.90.x:

  1. In the azurerm_kubernetes_cluster resource, create an addon_profile block that contains an azure_policy block.
  2. Set the field azure_policy.enabled to true.

References:
https://learn.microsoft.com/en-us/azure/aks/use-azure-policy
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster
https://registry.terraform.io/providers/hashicorp/azurerm/2.89.0/docs/resources/kubernetes_cluster

Policy Details

Rule Reference ID: AC_AZURE_0290
CSP: Azure
Remediation Available: Yes
Domain: Security Best Practices
Resource: azurerm_kubernetes_cluster
Resource Category: Compute
Resource Type: Azure Kubernetes Service (AKS)

Frameworks