Benchmark: Kubernetes Service
Description
This section contains recommendations for configuring Kubernetes Service resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Kubernetes Service.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.all_controls_kubernetesSnapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.all_controls_kubernetes --shareControls
- Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters
- Kubernetes cluster addon Azure policy should be enabled
- Authorized IP ranges should be defined on Kubernetes Services
- Kubernetes clusters HTTP application routing should be disabled
- Kubernetes clusters key vault secret rotation should be enabled
- Kubernetes clusters should have logging enabled
- Kubernetes clusters should use a minimum number of 50 pods
- Kubernetes clusters should have Azure network plugin
- Kubernetes clusters should have network policy enabled
- Kubernetes cluster nodes should prohibit public access
- Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys
- Kubernetes cluster should restrict public access
- Kubernetes clusters should use standard SKU
- Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host
- Kubernetes clusters upgrade channel should be configured
- Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
- Role-Based Access Control (RBAC) should be used on Kubernetes Services