Benchmark: Kubernetes Service
Description
This benchmark provides a set of controls that detect Terraform Azure Kubernetes Service resources deviating from security best practices.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-terraform-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Kubernetes Service.
Run this benchmark in your terminal:
powerpipe benchmark run terraform_azure_compliance.benchmark.kubernetesSnapshot and share results via Turbot Pipes:
powerpipe benchmark run terraform_azure_compliance.benchmark.kubernetes --shareControls
- Azure Defender for Kubernetes should be enabled
- Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters
- Authorized IP ranges should be defined on Kubernetes Services
- Kubernetes clusters only critical system pods should run on system nodes
- Kubernetes clusters key vault secret rotation should be enabled
- Kubernetes clusters local admin should be disabled
- Kubernetes clusters should have logging enabled
- Kubernetes clusters should use a minimum number of 50 pods
- Kubernetes clusters should have network policy enabled
- Kubernetes clusters should use scale sets type nodes
- Kubernetes cluster nodes should restrict public access
- Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys
- Kubernetes clusters should use type ephemeral OS disk
- Kubernetes clusters should restrict public access
- Kubernetes clusters should use standard SKU
- Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host
- Kubernetes clusters upgrade channel should be configured
- Role-Based Access Control (RBAC) should be used on Kubernetes Services