Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Kubernetes data plane hardening helps enforce secure configurations for workloads running in your cluster, such as restricting privileged containers, enforcing resource limits, and limiting network access.
In Microsoft Defender for Cloud, data plane hardening is implemented by using Azure Policy for Kubernetes to evaluate and enforce these configurations. Azure Policy is deployed as part of Defender for Containers when automatic provisioning is enabled.
If Azure Policy for Kubernetes is turned off in the Defender for Containers plan settings, you can deploy it by remediating the relevant recommendation. You can also deploy Azure Policy manually by using Azure CLI or Helm if you disabled automatic provisioning during enablement or excluded specific clusters from automatic provisioning.
After Azure Policy for Kubernetes is deployed, Defender for Cloud generates data plane hardening recommendations based on your cluster configuration. This page shows how to review these recommendations, configure policy parameters, and enforce them on your clusters.
Prerequisites
To begin, make sure that:
You have added the required FQDN/application rules for Azure policy.
(For non AKS clusters) Your Kubernetes cluster is connected to Azure Arc.
Enable Azure Policy for Kubernetes by remediating recommendations
If Azure Policy for Kubernetes isn't deployed or was turned off in the Defender for Containers plan settings, you can install it by remediating the relevant recommendation in Defender for Cloud.
Sign in to the Azure portal.
Go to Microsoft Defender for Cloud > Recommendations.
Search for the relevant recommendation:
- Azure: Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed
- GCP: GKE clusters should have the Azure Policy extension installed
- AWS/Arc-enabled Kubernetes: Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed
Select a recommendation.
In the Take action tab, select Fix.
Select Fix to remediate the selected resources.
Repeat for each recommendation.
Data plane hardening recommendations
After you deploy Azure Policy for Kubernetes, Defender for Cloud evaluates your cluster configuration and generates data plane hardening recommendations. This process can take up to 30 minutes.
Note
Microsoft components, such as the Defender sensor, are deployed in the kube-system namespace by default and aren't marked as noncompliant. Third-party components installed in other namespaces might be flagged. To exclude specific namespaces, configure Azure policy exclusions.
The following table lists common data plane hardening recommendations:
| Recommendation name | Security control | Configuration required |
|---|---|---|
| Container CPU and memory limits should be enforced | Protect applications against DDoS attack | Yes |
| Container images should be deployed from trusted registries only | Remediate vulnerabilities | Yes |
| Least privileged Linux capabilities should be enforced for containers | Manage access and permissions | Yes |
| Containers should only use allowed AppArmor profiles | Remediate security configurations | Yes |
| Services should listen on allowed ports only | Restrict unauthorized network access | Yes |
| Usage of host networking and ports should be restricted | Restrict unauthorized network access | Yes |
| Usage of pod HostPath volume mounts should be restricted to a known list | Manage access and permissions | Yes |
| Container with privilege escalation should be avoided | Manage access and permissions | No |
| Containers sharing sensitive host namespaces should be avoided | Manage access and permissions | No |
| Immutable (read-only) root filesystem should be enforced for containers | Manage access and permissions | No |
| Kubernetes clusters should be accessible only over HTTPS | Encrypt data in transit | No |
| Kubernetes clusters should disable automounting API credentials | Manage access and permissions | No |
| Kubernetes clusters shouldn't use the default namespace | Implement security best practices | No |
| Kubernetes clusters shouldn't grant CAP_SYS_ADMIN capabilities | Manage access and permissions | No |
| Privileged containers should be avoided | Manage access and permissions | No |
| Running containers as root user should be avoided | Manage access and permissions | No |
View recommendations for a cluster
To view data plane hardening recommendations for a specific cluster:
Sign in to the Azure portal.
Go to Defender for Cloud > Inventory.
Set the resource type filter to Kubernetes service and select Apply.
Select the relevant cluster.
Review the available recommendations. Data plane hardening recommendations show the number of affected Kubernetes components.
Select a recommendation to view affected resources.
Select the Take action tab to review remediation options.
Configure policy parameters
Some recommendations require parameter configuration to be effective. For example, the recommendation Container images should be deployed from trusted registries only requires you to define a list of trusted registries.
If required parameters aren't configured, resources are shown as unhealthy.
To configure policy parameters:
Sign in to the Azure portal.
Go to Microsoft Defender for Cloud > Environment settings.
Select the relevant subscription.
Select Security policies.
On the Standards tab, select the relevant security standard.
Select the relevant policy assignment's 3-dot menu and select Manage effect and parameters.
Update the required parameter values.
Select Save.
Enforce data plane hardening policies
By default, policies evaluate resources in audit mode. To enforce a policy, set its effect to Deny.
To enforce a recommendation:
Sign in to the Azure portal.
Go to Microsoft Defender for Cloud > Recommendations.
Search for and select the relevant data plane hardening recommendation.
On the Take action tab, select Deny.
Set the scope.
Select Change to deny.
Test policy enforcement
You can validate data plane hardening policies by deploying test workloads.
- A compliant deployment that meets data plane hardening requirements
- A noncompliant deployment that violates multiple policies
Deploy the following example YAML files to verify that compliant workloads are deployed successfully and noncompliant workloads are flagged or blocked, depending on policy enforcement settings.
Compliant deployment example
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-healthy-deployment
labels:
app: redis
spec:
replicas: 3
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
annotations:
container.apparmor.security.beta.kubernetes.io/redis: runtime/default
spec:
containers:
- name: redis
image: <customer-registry>.azurecr.io/redis:latest
ports:
- containerPort: 80
resources:
limits:
cpu: 100m
memory: 250Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
---
apiVersion: v1
kind: Service
metadata:
name: redis-healthy-service
spec:
type: LoadBalancer
selector:
app: redis
ports:
- port: 80
targetPort: 80
Noncompliant deployment example
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-unhealthy-deployment
labels:
app: redis
spec:
replicas: 3
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: redis
image: redis:latest
ports:
- containerPort: 9001
hostPort: 9001
securityContext:
privileged: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsUser: 0
capabilities:
add:
- NET_ADMIN
volumeMounts:
- mountPath: /test-pd
name: test-volume
readOnly: true
volumes:
- name: test-volume
hostPath:
# directory location on host
path: /tmp
---
apiVersion: v1
kind: Service
metadata:
name: redis-unhealthy-service
spec:
type: LoadBalancer
selector:
app: redis
ports:
- port: 6001
targetPort: 9001