Cloud and Datacenter Management Blog

Microsoft Hybrid Cloud blogsite about Management

Azure Arc Kubernetes and Azure Defender Cloud for Containers with #Azure Policies

Leave a comment


Azure Arc for Hybrid Cloud Management.

In my last blogpost I wrote about Azure Arc enabled Kubernetes and Container Insights with Alerting and Actions

In the following steps I will install some containers (Pods) on my Azure Arc enabled Kubernetes so I have some data to work with in my MVP LAB. I did that with Microsoft Visual Studio Code and with Helm predefined templates. Install the VSCode and install the Kubernetes extension, more information here

In the following steps we install DAPR and Redis on the Azure Arc enabled Kubernetes.

When you open your Kubernetes Cluster
Click then on Helm Repos
There you see Dapr repo.
Click on version 1.6.0.

Right click on version 1.6.0
Click on Install.

Dapr is installed by default on the Azure Arc enabled Kubernetes.

Type in Powershell :
dapr status -k
You will see the running pods of Dapr.

Dapr Dashboard is running
Important: This is running in a test environment and is now http.
For production you have to make it save!
Azure Arc Services and Azure Defender for Containers will help you with that.

 

Installing Redis in the same way.

Kubectl get pods

You will see the running Dapr and Redis pods.

Now we have installed two products on the Azure Arc enabled Kubernetes Cluster by default, but security is not in place based on best practices. For Dapr you have security best practices to follow and  Security for Redis.

But next to these security best practices from the software vendor, we also have Microsoft Azure Arc Security (Preview) on this kubernetes Cluster active. In the following steps you will see Security rules, Fixes and Azure Policies for Azure Arc Kubernetes to make your environment more secure and compliant.

Click on your Azure Arc enabled Kubernetes Cluster
This is my Dockkube.
Click then on Security (preview)

Here you see that I don’t have Azure Policy active to be compliant
on my Azure Arc enabled Kubernetes Cluster.
A lot of security issues are managed by policies.
Click on View Additional recommendations in Defender for Cloud

See Related recommendation (17)

Here you see all the dependent policies for your Azure Arc enabled Kubernetes Cluster.

Select your Azure Arc Enabled Kubernetes Cluster (Dockkube)
Click on Fix

Confirm and click on Fix 1 resource.

Remediation in progress.

Remediation Successful.
It can take some minutes to see your resources in the Healthy state.
Just refresh 😉

In Azure Policy you will see how Compliant you are with your
Azure Arc enabled Kubernetes.
Click on the ASC compliance.

Here you see the 10 Policies that are not Compliant.

Select a policy which is not compliant like here
Kubernetes Cluster containers should only use allowed images
Click on Details

Here you see the Component ID’s on my Azure Arc enabled Kubernetes Cluster
which are not compliant on this policy 😉
See the Tab bar, you are now on Component Compliance

Click on Policies tab
Dubbel click on the policy.

From here you can Assign the policy to your Azure Arc enabled Kubernetes Cluster.

See the TAB bar for deploying this policy.

Set your Managed Identity for deploying your policy.
Here you can read more how Remediation security works

More information on Microsoft Docs :

Enable Microsoft Defender for Containers

Azure Policy built-in definitions for Azure Arc-enabled Kubernetes

Understand Azure Policy for Kubernetes clusters

Overview of Microsoft Defender for Containers

Microsoft Azure Defender for Cloud Containers

Defender Plans for Azure Arc Enabled Kubernetes Clusters (Preview)
I have set these.
(Security Recommendations can take some time)

Security (preview) on your Azure Arc enabled Kubernetes Cluster

Here you get the Remediation steps to do and the Information.

There is information link to Mitre ATT&CK site.

And more information via a link to the Kubernetes site:
Resource Management for Pods and Containers

A New example and you can see the Affected Components
on my Azure Arc enabled Kubernetes Cluster Dockkube.

 

Conclusion

When you work in a DevOps way with Kubernetes containers and microservices, you want them as secure as possible. With application security and best practices from the software vendors. Security monitoring and compliance are important to keep you in control and to keep your environment safe. With Azure Arc enabled Kubernetes you get Azure Defender for Containers and Azure policy for security compliance to your Kubernetes Cluster.

Important: This is still in preview and should not be used in production environment yet until Microsoft makes it General Available for the world. Now you can test it in your test environment like me in my MVPLAB.

Author: James van den Berg

I'm Microsoft Architect and ICT Specialist and Microsoft MVP Cloud and Datacenter Management Microsoft MVP Windows Insider Microsoft Tech Community Insider Microsoft Azure Advisor

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.