Auteur/autrice : zigmax

14 mars 2023

New alert in Azure Defender for Key Vault

Hi!

Azure Defender for Key Vault has the following new alert:

Alert (alert type)	Description	MITRE tactics	Severity
Denied access from a suspicious IP to a key vault (KV_SuspiciousIPAccessDenied)	An unsuccessful key vault access has been attempted by an IP that has been identified by Microsoft Threat Intelligence as a suspicious IP address. Though this attempt was unsuccessful, it indicates that your infrastructure might have been compromised. We recommend further investigations.	Credential Access	Low

You can see a list of all of the alerts available for Key Vault.

Maxime.

9 mars 20239 mars 2023

AKS | Pod Sandboxing

Hi!

In a traditional Kubernetes cluster, pods share the same node and therefore have the same level of access to the host system. This can lead to potential security risks, particularly if a malicious actor gains access to a vulnerable pod. Pod sandboxing in AKS addresses this issue by creating a dedicated container for each pod, which is isolated from other pods and the host system.

AKS pod sandboxing achieves this isolation by running each pod in its own container, using the gVisor sandboxing technology. gVisor is an open-source sandboxing solution that provides a lightweight, container-based isolation mechanism for running untrusted workloads. This approach enables AKS to provide a secure runtime environment for each pod, without sacrificing performance or scalability.

AKS pod sandboxing also provides a number of other security features, including encryption at rest for pod volumes, network isolation through virtual networks, and integrated identity and access management through Azure Active Directory. These features help to protect sensitive data and prevent unauthorized access to Kubernetes resources.

To use AKS pod sandboxing, users can simply enable the feature when creating a new AKS cluster. Once enabled, all pods deployed to the cluster will be automatically sandboxed, providing an added layer of security and isolation.

In summary, pod sandboxing is an important technique for securing Kubernetes workloads, particularly in multi-tenant environments. AKS pod sandboxing provides a powerful and easy-to-use solution for isolating pods from one another and from the host system, using the lightweight gVisor sandboxing technology. By enabling AKS pod sandboxing, users can improve the security and reliability of their Kubernetes deployments, while maintaining performance and scalability.

How it works:

To achieve this functionality on AKS, Kata Containers running on Mariner AKS Container Host (MACH) stack delivers hardware-enforced isolation. Pod Sandboxing extends the benefits of hardware isolation such as a separate kernel for each Kata pod. Hardware isolation allocates resources for each pod and doesn’t share them with other Kata Containers or namespace containers running on the same host.

The solution architecture is based on the following components:

Mariner AKS Container Host
Microsoft Hyper-V Hypervisor
Azure-tuned Dom0 Linux Kernel
Open-source Cloud-Hypervisor Virtual Machine Monitor (VMM)
Integration with Kata Container framework

To use this feature with a pod, the only difference is to add runtimeClassName kata-mshv-vm-isolation to the pod spec.

Limitations:

Kata containers may not reach the IOPS performance limits that traditional containers can reach on Azure Files and high performance local SSD.
Microsoft Defender for Containers doesn’t support assessing Kata runtime pods.
Container Insights doesn’t support monitoring of Kata runtime pods in the preview release.
Kata host-network isn’t supported.
AKS does not support Container Storage Interface drivers and Secrets Store CSI driver in this preview release.

Enable Pod Sandboxing to an existing AKS cluster:

az aks nodepool add --cluster-name myAKSCluster --resource-group myResourceGroup --name nodepool2 --os-sku mariner --workload-runtime KataMshvVmIsolation --node-vm-size Standard_D4s_v3

az aks update --name myAKSCluster --resource-group myResourceGroup

Documentation: https://learn.microsoft.com/en-gb/azure/aks/use-pod-sandboxing

Maxime.

16 février 2023

Azure Policy Export

Hi!

Azure Policy definitions, initiatives, and assignments can each be exported as JSON with Azure CLI.

Here an example to export an Azure Policy. In the first we will list all the Azure Policies which contains the display name « virtual machine ». In the second step we will export the Azure Policy in JSON.

maxime@Azure:~$ az policy definition list --query "[?contains(displayName, 'virtual machine')]" -o table
Name                                  PolicyType    Mode     DisplayName                                                                                                                       Description
------------------------------------  ------------  -------  ----------------
0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56  BuiltIn       All      Audit virtual machines without disaster recovery configured                                                                       Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.
04c4380f-3fae-46e8-96c9-30193528f602  BuiltIn       Indexed  [Preview]: Network traffic data collection agent should be installed on Linux virtual machines                                    Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.


maxime@Azure:~$ az policy definition show -n 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 -o jsonc
{
  "description": "Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.",
  "displayName": "Audit virtual machines without disaster recovery configured",
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
  "metadata": {
    "category": "Compute",
    "version": "1.0.0"
  },
  "mode": "All",
  "name": "0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
  "parameters": {},
  "policyRule": {
    "if": {
      "field": "type",
      "in": [
        "Microsoft.Compute/virtualMachines",
        "Microsoft.ClassicCompute/virtualMachines"
      ]
    },
    "then": {
      "details": {
        "existenceCondition": {
          "field": "name",
          "like": "ASR-Protect-*"
        },
        "type": "Microsoft.Resources/links"
      },
      "effect": "auditIfNotExists"
    }
  },
  "policyType": "BuiltIn",
  "systemData": null,
  "type": "Microsoft.Authorization/policyDefinitions"
}

Maxime.