Catégorie : Azure

AKS | Image Cleaner

Hi!

In this article, I will show you how you can clean unreferenced images stored at the nodes level. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.

ImageCleaner does not support the following:

  • Windows node pools
  • ARM64 node pools

When enabled, an eraser-controller-manager pod is deployed on each agent node, which will use an ImageList CRD to determine unreferenced and vulnerable images. Vulnerability is determined based on a trivy scan, after which images with a LOW, MEDIUM, HIGH, or CRITICAL classification are flagged.

An updated ImageList will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually. Once an ImageList is generated, ImageCleaner will remove all the images in the list from node VMs.

To enable Image Cleaner on an existing AKS cluster:

az aks update -g MyResourceGroup -n MyManagedCluster --enable-image-cleaner

To enable Image Cleaner with an interval of hours:

az aks update -g MyResourceGroup -n MyManagedCluster --image-cleaner-interval-hours 48

Based on your configuration, ImageCleaner will generate an ImageList containing non-running and vulnerable images at the desired interval. ImageCleaner will automatically remove these images from cluster nodes.

Source: https://docs.microsoft.com/en-us/azure/aks/image-cleaner

Maxime.

Network security groups support for private endpoints

Hi!

Network security groups (NSGs) support for private endpoints is now generally available. This feature enhancement provides you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled on the subnet containing private endpoint resources.

By default, network policies are disabled for a subnet in a virtual network. To utilize network policies like UDR and NSG support, network policy support must be enabled for the subnet. This setting is only applicable to private endpoints within the subnet. This setting affects all private endpoints within the subnet. For other resources in the subnet, access is controlled based on security rules in the network security group.

Enable Network Policy:

  1. Sign-in to the Azure portal.
  2. In the search box at the top of the portal, enter Virtual network. Select Virtual networks.
  3. Select myVNet.
  4. In settings of myVNet, select Subnets.
  5. Select the default subnet.
  6. In the properties for the default subnet, select Enabled in NETWORK POLICY FOR PRIVATE ENDPOINTS.
  7. Select Save.
Maxime.

Two news alerts for Microsoft Defender for KeyVault (AKV)

Hi!

In this article, I will share with you two news alerts released in June 2022 for Microsoft Defender for KeyVault.

Alert (alert type)DescriptionMITRE tacticsSeverity
Unusual access denied – User accessing high volume of key vaults denied
(KV_DeniedAccountVolumeAnomaly)		A user or service principal has attempted access to anomalously high volume of key vaults in the last 24 hours. This anomalous access pattern may be legitimate activity. Though this attempt was unsuccessful, it could be an indication of a possible attempt to gain access of key vault and the secrets contained within it. We recommend further investigations.DiscoveryLow
Unusual access denied – Unusual user accessing key vault denied
(KV_UserAccessDeniedAnomaly)		A key vault access was attempted by a user that doesn’t normally access it, this anomalous access pattern may be legitimate activity. Though this attempt was unsuccessful, it could be an indication of a possible attempt to gain access of key vault and the secrets contained within it.Initial Access, DiscoveryLow

Maxime.