Catégorie : Azure

AKS | Operation Abort

Hi!

AKS now supports aborting a long running operation. The abort operation supports the following scenarios:

  • If a long running operation is stuck or suspected to be in a bad state or failing, the operation can be aborted provided it’s the last running operation on the Managed Cluster or agent pool.
  • If a long running operation is stuck or failing, that operation can be aborted.
  • An operation that was triggered in error can be aborted as long as the operation doesn’t reach a terminal state first.

The following example terminates an operation on a node pool on a specified cluster:

az aks nodepool operation-abort --resource-group myResourceGroup --cluster-name myAKSCluster --name myNodePool

The following example terminates an operation on a specified cluster:

az aks operation-abort --name myAKSCluster --resource-group myResourceGroup

Reference: https://learn.microsoft.com/en-us/azure/aks/manage-abort-operations

Maxime.

AKV | Access Configuration Update

Hi!

Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on the management plane, and the access policy model, which operates on both the management plane and the data plane.

  • Azure RBAC is built on Azure Resource Manager and provides fine-grained access management of Azure resources. With Azure RBAC you control access to resources by creating role assignments, which consist of three elements: a security principal, a role definition (predefined set of permissions), and a scope (group of resources or individual resource). 
  • The access policy model, on the other hand, is an existing authorization system built in Key Vault to provide access to keys, secrets, and certificates. You can control access by assigning individual permissions to security principals (user, group, service principal, managed identity) at Key Vault scope.

Azure RBAC offers several advantages over access policies

  • A unified access control model for Azure resource– it uses the same API across Azure services
  • Centralized access management for administrators – manage all Azure resources in one view
  • Integration with Privileged Identity Management for time-based access control
  • Deny assignments – ability to exclude security principals at a particular scope
  • More stringent permissions — managing access for users and service principals require Owner or User Access Administrator roles

Azure RBAC is now the recommended authorization system for the Azure Key Vault data plane.

Maxime.

AKS | CNCF Quebec Meetup

Hi,

I am thrilled to share that I had the opportunity to speak at the CNCF Québec meetup this week. My presentation focused on the various security vectors that a malicious actor may exploit to target an Azure Kubernetes Cluster deployment.

Throughout my talk, I highlighted several critical topics that I believe are crucial for understanding and preventing security breaches, including:

  • The exploitation of Azure Resource Graph for discovery purposes
  • The risks associated with malicious admission controllers
  • Network attacks and their implications
  • The importance of understanding the differences between AKS Service Principal and MSI
  • Insider attacks and their impact on security.
Chargeur En cours de chargement…
Logo EAD Cela prend trop de temps ?

Recharger Recharger le document
| Ouvert Ouvrir dans un nouvel onglet

Maxime.