Catégorie : Kubernetes (AKS)

AKS | Node Pool Snapshot

Hi!

In this article, we will see a new feature of AKS : Node Pool Snapshot.

AKS releases a new node image weekly and every new cluster, new node pool, or upgrade cluster will always receive the latest image that can make it hard to maintain your environments consistent and to have repeatable environments.

Node pool snapshots allow you to take a configuration snapshot of your node pool and then create new node pools or new clusters based of that snapshot for as long as that configuration and kubernetes version is supported.

Take a Node Pool Snapshot:

NODEPOOL_ID=$(az aks nodepool show --name nodepool1 --cluster-name myAKSCluster --resource-group myResourceGroup --query id -o tsv)

az aks snapshot create --name MySnapshot --resource-group MyResourceGroup --nodepool-id $NODEPOOL_ID --location eastus

Create a Node Pool from a Snapshot:

SNAPSHOT_ID=$(az aks snapshot show --name MySnapshot --resource-group myResourceGroup --query id -o tsv)

az aks nodepool add --name np2 --cluster-name myAKSCluster --resource-group myResourceGroup --snapshot-id $SNAPSHOT_ID

Upgrading a Node Pool from a Snapshot:

SNAPSHOT_ID=$(az aks snapshot show --name MySnapshot --resource-group myResourceGroup --query id -o tsv)

az aks nodepool upgrade --name nodepool1 --cluster-name myAKSCluster --resource-group myResourceGroup --snapshot-id $SNAPSHOT_ID

Create a cluster from a Snapshot:

SNAPSHOT_ID=$(az aks snapshot show --name MySnapshot --resource-group myResourceGroup --query id -o tsv)

az aks create --name myAKSCluster2 --resource-group myResourceGroup --snapshot-id $SNAPSHOT_ID

Maxime.

Microsoft Defender for Containers plan released for general availability (GA)

Hi!

With the release of Microsoft Defender for Containers, Microsoft merged two existing Defender plans:

  • Defender for Kubernetes
  • Defender for container registries

The new plan:

  • Combines the features of the two existing plans – threat detection for Kubernetes clusters and vulnerability assessment for images stored in container registries
  • Brings new and improved features – including multi-cloud support, host level threat detection with over sixty new Kubernetes-aware analytics, and vulnerability assessment for running images
  • Introduces Kubernetes-native at-scale onboarding – by default, when you enable the plan all relevant components are configured to be deployed automatically

To enable this new plan, please follow the following steps:

  • Microsoft Defender for Cloud >
  • In the “Management” section >
  • Environment settings >
  • Select your subscription >
  • Click on “On” for Containers >
  • Save

Maxime.

New alerts for Microsoft Defender for Kubernetes

Hi!

To expand the threat protections provided by Microsoft Defender for Kubernetes, we’ve added two preview alerts.

Alert (alert type)DescriptionMITRE tacticSeverity
Anomalous pod deployment (Preview)
(K8S_AnomalousPodDeployment)		Kubernetes audit log analysis detected pod deployment that is anomalous based on previous pod deployment activity. This activity is considered an anomaly when taking into account how the different features seen in the deployment operation are in relations to one another. The features monitored by this analytics include the container image registry used, the account performing the deployment, day of the week, how often does this account performs pod deployments, user agent used in the operation, is this a namespace which is pod deployment occur to often, or other feature. Top contributing reasons for raising this alert as anomalous activity are detailed under the alert extended properties.ExecutionMedium
Excessive role permissions assigned in Kubernetes cluster (Preview)
(K8S_ServiceAcountPermissionAnomaly)		Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. From examining role assignments, the listed permissions are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission. The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Azure Defender.Privilege EscalationLow

For a full list of the Kubernetes alerts, see Alerts for Kubernetes clusters.

Maxime.