Catégorie : Kubernetes (AKS)

New alerts for Microsoft Defender for Kubernetes

Hi!

To expand the threat protections provided by Microsoft Defender for Kubernetes, we’ve added two preview alerts.

Alert (alert type)DescriptionMITRE tacticSeverity
Anomalous pod deployment (Preview)
(K8S_AnomalousPodDeployment)
Kubernetes audit log analysis detected pod deployment that is anomalous based on previous pod deployment activity. This activity is considered an anomaly when taking into account how the different features seen in the deployment operation are in relations to one another. The features monitored by this analytics include the container image registry used, the account performing the deployment, day of the week, how often does this account performs pod deployments, user agent used in the operation, is this a namespace which is pod deployment occur to often, or other feature. Top contributing reasons for raising this alert as anomalous activity are detailed under the alert extended properties.ExecutionMedium
Excessive role permissions assigned in Kubernetes cluster (Preview)
(K8S_ServiceAcountPermissionAnomaly)
Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. From examining role assignments, the listed permissions are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission. The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Azure Defender.Privilege EscalationLow

For a full list of the Kubernetes alerts, see Alerts for Kubernetes clusters.

Maxime.

AKS | Open Service Mesh add-on for AKS

Hi!

During Microsoft Ignite 2021, Microsoft released in general availability the open service mesh add-on for AKS.

Open Service Mesh (OSM) runs an Envoy-based control plane on Kubernetes, can be configured with SMI APIs, and works by injecting an Envoy proxy as a sidecar container next to each instance of your application. The Envoy proxy contains and executes rules around access control policies, implements routing configuration, and captures metrics. The control plane continually configures proxies to ensure policies and routing rules are up to date and ensures proxies are healthy.

OSM provides the following set of capabilities and features to provide a cloud native service mesh for your Azure Kubernetes Service (AKS) clusters:

  • OSM has been integrated into the AKS service to provide a fully supported and managed service mesh experience with the convenience of the AKS feature add-on
  • Secure service to service communication by enabling mTLS
  • Easily onboard applications onto the mesh by enabling automatic sidecar injection of Envoy proxy
  • Easily and transparent configurations for traffic shifting on deployments
  • Ability to define and execute fine grained access control policies for services
  • Observability and insights into application metrics for debugging and monitoring services
  • Integration with external certificate management services/solutions with a pluggable interface

OSM can assist your AKS deployments with the following scenarios:

  • Provide encrypted communications between service endpoints deployed in the cluster
  • Traffic authorization of both HTTP/HTTPS and TCP traffic in the mesh
  • Configuration of weighted traffic controls between two or more services for A/B or canary deployments
  • Collection and viewing of KPIs from application traffic
Deploy an AKS cluster with OSM add-on
az aks create -n <my-osm-aks-cluster-name> -g <my-osm-aks-cluster-rg> --node-osdisk-type Ephemeral --node-osdisk-size 30 --network-plugin azure --enable-managed-identity -a open-service-mesh

Enable OSM AKS add-on for an existing AKS cluster
az aks enable-addons --addons open-service-mesh -g <my-osm-aks-cluster-rg> -n <my-osm-aks-cluster-name>

Validate the AKS OSM add-on installation
az aks list -g <my-osm-aks-cluster-rg> -o json | jq -r '.[].addonProfiles.openServiceMesh.enabled'

Check OSM add-on version
kubectl get deployment -n kube-system osm-controller -o=jsonpath='{$.spec.template.spec.containers[:1].image}'

AKS OSM add-on configuration
kubectl get meshconfig osm-mesh-config -n kube-system -o yaml

Disable OSM AKS add-on for an existing AKS cluster
az aks disable-addons -n <AKS-cluster-name> -g <AKS-resource-group-name> -a open-service-mesh

Maxime.

AKS | Scale-down Mode to delete/deallocate nodes in Azure Kubernetes Service (AKS)

Hi!

By default, scale-up operations performed manually or by the cluster autoscaler require the allocation and provisioning of new nodes, and scale-down operations delete nodes. Scale-down Mode allows you to decide whether you would like to delete or deallocate the nodes in your Azure Kubernetes Service (AKS) cluster upon scaling down.

When an Azure VM is in the Stopped (deallocated) state, you will not be charged for the VM compute resources. However, you will still need to pay for any OS and data storage disks attached to the VM. This also means that the container images will be preserved on those nodes.

Limitations:

  • Ephemeral OS disks are not supported
  • Spot node pools are not supported
# Install the aks-preview extension
az extension add --name aks-preview

# Update the extension to make sure you have the latest version installed
az extension update --name aks-preview

az feature register --namespace "Microsoft.ContainerService" --name "AKS-ScaleDownModePreview"
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-ScaleDownModePreview')].{Name:name,State:properties.state}"

# In this example, we create a new node pool with 20 nodes and specify that upon scale-down, nodes are to be deallocated via --scale-down-mode Deallocate
az aks nodepool add --node-count 20 --scale-down-mode Deallocate --node-osdisk-type Managed --max-pods 10 --name nodepool2 --cluster-name myAKSCluster --resource-group myResourceGroup

# By scaling the node pool and changing the node count to 5, we will deallocate 15 nodes
az aks nodepool scale --node-count 5 --name nodepool2 --cluster-name myAKSCluster --resource-group myResourceGroup

# Deleting previously deallocated nodes
az aks nodepool update --scale-down-mode Delete --name nodepool2 --cluster-name myAKSCluster --resource-group myResourceGroup

# The default behavior of AKS without using Scale-down Mode is to delete your nodes when you scale-down your cluster. Using Scale-down Mode, this can be explicitly achieved by setting --scale-down-mode Delete
az aks nodepool add --enable-cluster-autoscaler --min-count 1 --max-count 10 --max-pods 10 --node-osdisk-type Managed --scale-down-mode Delete --name nodepool3 --cluster-name myAKSCluster --resource-group myResourceGroup

Maxime.