Auteur/autrice : zigmax

AKS | Azure Linux

Hi!

A few months ago, I wrote an article about CBL Mariner (internal code name). During Microsoft Build 2023, Microsoft announced the General Availability of Azure Linux.

The Azure Linux Container Host is designed to be lightweight, including only the necessary packages to efficiently run container workloads. It has undergone rigorous validation tests and internal usage to ensure its robustness and security. Moreover, it seamlessly integrates with Azure agents, ensuring compatibility and smooth operation.

This solution offers a reliable and consistent experience across various environments, from the cloud to the edge, encompassing AKS, AKS for Azure Stack HCI, and Azure Arc. With its versatility, you have the flexibility to deploy Azure Linux node pools in both new and existing clusters, as well as migrate your current nodes to Azure Linux nodes.

The Azure Linux Container Host offers the following key benefits:

  • Secure supply chain: Microsoft builds, signs, and validates the Azure Linux Container Host packages from source, and hosts its packages and sources in Microsoft-owned and secured platforms.
  • Small and lightweight: The Azure Linux Container Host only includes the necessary set of packages needed to run container workloads – as a result, it consumes limited disk and memory resources.
  • Secure by default: The Azure Linux Container Host has an emphasis on security and follows the secure-by-default principles, including using a hardened Linux kernel with Azure cloud optimizations and flags tuned for Azure. It also provides a reduced attack surface and eliminates patching and maintenance of unnecessary packages.
  • Extensively validated: The AKS and Azure Linux teams run a suite of functional and performance regression tests with the Azure Linux Container Host before releasing to customers, which enables earlier issue detection and mitigation.​

Create an AKS cluster with Azure Linux:

az aks create --name testAzureLinuxCluster --resource-group testAzureLinuxResourceGroup --os-sku AzureLinux

Resource: https://learn.microsoft.com/en-us/azure/azure-linux/

Maxime.

AKV | Access Configuration Update

Hi!

Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on the management plane, and the access policy model, which operates on both the management plane and the data plane.

  • Azure RBAC is built on Azure Resource Manager and provides fine-grained access management of Azure resources. With Azure RBAC you control access to resources by creating role assignments, which consist of three elements: a security principal, a role definition (predefined set of permissions), and a scope (group of resources or individual resource). 
  • The access policy model, on the other hand, is an existing authorization system built in Key Vault to provide access to keys, secrets, and certificates. You can control access by assigning individual permissions to security principals (user, group, service principal, managed identity) at Key Vault scope.

Azure RBAC offers several advantages over access policies

  • A unified access control model for Azure resource– it uses the same API across Azure services
  • Centralized access management for administrators – manage all Azure resources in one view
  • Integration with Privileged Identity Management for time-based access control
  • Deny assignments – ability to exclude security principals at a particular scope
  • More stringent permissions — managing access for users and service principals require Owner or User Access Administrator roles

Azure RBAC is now the recommended authorization system for the Azure Key Vault data plane.

Maxime.

AKS | CNCF Quebec Meetup

Hi,

I am thrilled to share that I had the opportunity to speak at the CNCF Québec meetup this week. My presentation focused on the various security vectors that a malicious actor may exploit to target an Azure Kubernetes Cluster deployment.

Throughout my talk, I highlighted several critical topics that I believe are crucial for understanding and preventing security breaches, including:

  • The exploitation of Azure Resource Graph for discovery purposes
  • The risks associated with malicious admission controllers
  • Network attacks and their implications
  • The importance of understanding the differences between AKS Service Principal and MSI
  • Insider attacks and their impact on security.
Chargeur En cours de chargement…
Logo EAD Cela prend trop de temps ?

Recharger Recharger le document
| Ouvert Ouvrir dans un nouvel onglet

Maxime.