Azure Kubernetes Service has no network policy configured

ID

azure_aks_network_policy

Severity

high

Vendor

Azure

Resource

Network

Tags

asvs50-v13.1.1, reachable

Description

Azure Kubernetes Service has no network policy configured. This is necessary to ensure the principle of the least privileges.

To fix it, you must populate the network_profile.network_policy property.

Learn more about this topic at Azure Kubernetes Service network policy

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Create AKS
      azure_rm_aks:
        name: "minimal{{ rpfx }}"
        location: eastus
        resource_group: "{{ resource_group }}"
        kubernetes_version: "{{ versions.azure_aks_versions[0] }}"
        dns_prefix: "aks{{ rpfx }}"
        service_principal:
          client_id: "{{ client_id }}"
          client_secret: "{{ client_secret }}"
        network_profile:
          network_plugin: azure
          load_balancer_sku: standard
          outbound_type: userDefinedRouting
          service_cidr: "10.41.0.0/16"
          dns_service_ip: "10.41.0.10"
          docker_bridge_cidr: "172.17.0.1/16"
        api_server_access_profile:
          authorized_ip_ranges:
            - "20.106.246.252/32"
          enable_private_cluster: no
        agent_pool_profiles:
          - name: default
            count: 1
            vm_size: Standard_B2s
            mode: System
            vnet_subnet_id: "{{ output.subnets[0].id }}"
            type: VirtualMachineScaleSets
            enable_auto_scaling: false

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Create AKS
      azure_rm_aks:
        name: "minimal{{ rpfx }}"
        location: eastus
        resource_group: "{{ resource_group }}"
        kubernetes_version: "{{ versions.azure_aks_versions[0] }}"
        dns_prefix: "aks{{ rpfx }}"
        service_principal:
          client_id: "{{ client_id }}"
          client_secret: "{{ client_secret }}"
        network_profile:
          network_plugin: azure
          network_policy: azure
          load_balancer_sku: standard
          outbound_type: userDefinedRouting
          service_cidr: "10.41.0.0/16"
          dns_service_ip: "10.41.0.10"
          docker_bridge_cidr: "172.17.0.1/16"
        api_server_access_profile:
          authorized_ip_ranges:
            - "20.106.246.252/32"
          enable_private_cluster: no
        agent_pool_profiles:
          - name: default
            count: 1
            vm_size: Standard_B2s
            mode: System
            vnet_subnet_id: "{{ output.subnets[0].id }}"
            type: VirtualMachineScaleSets
            enable_auto_scaling: false