Tag Archives: Security

Azure Policy for Azure Kubernetes Service

In June I already covered Azure Policy for Kubernetes in a blog post. -> https://www.danielstechblog.io/using-azure-policy-for-kubernetes/ Back then Azure Policy for AKS was in public preview. At this year’s Microsoft Ignite Azure Policy for AKS went GA. -> https://azure.microsoft.com/en-us/updates/ga-policy-addon-for-azure-kubernetes-service/ There have been some significant changes Read more [...]

Trigger an on-demand Azure Policy compliance evaluation scan

Azure Policy evaluates resource compliance automatically every 24 hours for already assigned policies or initiatives. New policy or initiative assignments start the evaluation after the assignment has been applied to the defined scope which might take up to 30 minutes. What might be a hidden gem to some of you is the case that you can trigger an on-demand compliance evaluation scan whenever Read more [...]

Using distroless images in Istio on Azure Kubernetes Service

Looking at Docker Hub Istio provides the option using distroless images since version 1.3.0. As it is always a good idea on a Kubernetes cluster to reduce the attack surface, especially when running a managed Kubernetes cluster like Azure Kubernetes Service, using distroless images is one option of it. Per default Istio does not use the distroless image versions. So, you need to opt in for Read more [...]

Upgrading the node image of an Azure Kubernetes Service cluster

Last year I have written a shell script to update the VMSS base image of an Azure Kubernetes Service cluster. -> https://www.danielstechblog.io/updating-the-base-image-of-a-vmss-based-aks-cluster/ -> https://www.danielstechblog.io/aks-vmss-base-image-update-script-multiple-node-pool-support/ As I am using the VMSS API and not the AKS API it was not an officially supported way to update Read more [...]

Using Azure Policy for Kubernetes

In my last blog post I mentioned that the next topic is about Azure Policy in combination with Azure Arc enabled Kubernetes. I decided to write about Azure Policy for Kubernetes instead covering Azure Kubernetes Service and Azure Arc enabled Kubernetes. As Azure Policy for Kubernetes is based on the Open Policy Agent Gatekeeper implementation, I will also highlight the difference between the Read more [...]

Using Azure Resource Graph to show ASC container image scan findings

In my previous blog post I showed you how to connect your Azure Container Registries with Azure Security Center. -> https://www.danielstechblog.io/connecting-azure-container-registry-with-azure-security-center/ Today we talk about how to receive the scan results via Azure Resource Graph instead of using the Security Center UI path. You can submit your queries against the Resource Graph Read more [...]

Connecting Azure Container Registry with Azure Security Center

Back in March Microsoft released the container image scanning solution in the Azure Security Center for the Azure Container Registry. -> https://azure.microsoft.com/en-us/updates/vulnerability-scanning-for-images-in-azure-container-registry-is-now-generally-available/ The container image scanning solution is powered by Qualys and seamlessly integrated into the Security Center UI. Connecting Read more [...]

Secure Kubernetes API server access in Azure Kubernetes Service

Running Kubernetes at a cloud provider especially managed Kubernetes like AKS or GKE provides you with a solid foundation and applied security best practices for the managed master control plane. But there is one downside, the public accessible API endpoint to control the Kubernetes cluster. Even the API endpoint is only exposed via HTTPS and access is secured via the Azure Active Directory integration Read more [...]

Disable the Kubernetes dashboard on Azure Kubernetes Service

A recently introduced change enables the capability to disable the Kubernetes dashboard on an AKS cluster. This is achieved by providing the Kubernetes dashboard as an AKS add-on like the Azure Monitor for containers integration, AKS virtual nodes or the HTTP application routing. I stumbled over that capability in the Terraform Azure provider documentation for Azure Kubernetes Service. -> Read more [...]

AKS VMSS base image update script – multiple node pool support

At the beginning of September, I have published a blog post about how to update the base image of a VMSS-based AKS cluster. -> https://www.danielstechblog.io/updating-the-base-image-of-a-vmss-based-aks-cluster/ On LinkedIn I had a good discussion with one of the AKS PMs about that and I want to highlight two things first. The shell script I have written directly interacts with the VMSS Read more [...]