Azure AKS 漏洞列表

Ensure that Azure Kubernetes Service (AKS) clusters are configured to use the API Server Authorized IP Address Ranges feature in order to limit which IP addresses and CIDRs can access the Kubernetes control plane.

To maximize the benefits of your Azure Kubernetes Service (AKS) clusters, it is important to ensure they are running on the latest Kubernetes version. By doing so, you gain access to new and improved features, as well as the latest security patches. The Kubernetes API upgrade becomes fully available only after it is approved by Microsoft Azure.

Ensure that Azure Kubernetes Service (AKS) clusters are configured to use the Azure Container Networking Interface (CNI) mode instead of the default Kubenet networking mode to enhance the segregation of resources and controls in an enterprise environment.

Ensure that your Azure Kubernetes Service (AKS) clusters are integrated with Microsoft Entra ID to provide granular access to AKS resources.

Ensure that your Azure Kubernetes Service (AKS) clusters are using the latest available version of Kubernetes platform in order to receive new or enhanced features and the most recent security fixes. The Kubernetes version upgrade becomes fully available only after it is approved by Microsoft Azure.

Ensure that your Azure Kubernetes Service (AKS) clusters are using system-assigned managed identities to allow secure application access to other Azure cloud resources such as load balancers, managed disks, and key vaults.

Ensure that Azure Kubernetes Service (AKS) clusters are using the Network Contributor role for managing networking resources and accessing other Azure services within an Azure Virtual Network (VNet). The Network Contributor role enables seamless network management, facilitates service integration, and enhances overall security.

Ensure that your Azure Kubernetes Service (AKS) clusters are using user-assigned managed identities for fine-grained control over access permissions.

Ensure that Kubernetes Role-Based Access Control (RBAC) is enabled for all Azure Kubernetes Service (AKS) clusters in order to achieve fine-grained control over AKS cluster resources. The Kubernetes Role-Based Access Control (RBAC) represents an efficient method of regulating access to Azure Kubernetes Service resources based on the roles of individual users or groups within an organization.

Ensure that your Azure Kubernetes Service (AKS) clusters are configured with encryption at rest for Kubernetes secrets in etcd using a private Azure Key Vault.