Profile Applicability:

  • Level 1

Description:
 The Container Network Interface (CNI) is used in Kubernetes to configure networking for pods. Ensuring that the latest CNI version is used helps maintain compatibility with the Kubernetes environment, provides the latest bug fixes, and includes important security patches. This check ensures that your AKS cluster is using the most up-to-date CNI version for network configuration.

Rationale:
 Using the latest CNI version ensures the Kubernetes networking environment is secure, stable, and fully supported. Keeping CNI plugins up-to-date helps avoid network-related vulnerabilities, enhances performance, and maintains compatibility with new Kubernetes features.

Impact:

  • Pros:

    • Ensures network security and stability.

    • Provides access to the latest features, bug fixes, and performance improvements.

  • Cons:

    • Upgrading CNI versions may introduce breaking changes or require reconfiguration of network settings.

    • Some applications might face compatibility issues with the latest CNI version.

Default Value:
 Azure Kubernetes Service (AKS) typically uses a default CNI version, but it’s important to ensure that updates are applied to keep the CNI version current with the latest stable release.

Pre-requisites:
 Ensure that you have the necessary permissions to modify CNI configurations in your AKS cluster and that the cluster is compatible with the latest CNI version.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access the Kubernetes cluster settings.

  2. Review the CNI plugin version used by the cluster under the Networking settings.

  3. Compare the installed version with the latest available version in the CNI documentation.

Using Azure CLI:

  1. Use the following command to check the CNI version in your AKS cluster:

    az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "networkProfile.cniVersion"

  2. Verify the returned CNI version against the latest available version.

Implementation Plan:

Using Azure Console:

  1. Navigate to the Azure portal and go to your AKS cluster.

  2. Under Networking settings, check the CNI version.

  3. If the CNI version is not the latest, refer to the official AKS documentation and update the CNI version manually if necessary.

Using Azure CLI:

  1. To upgrade or update the CNI version, use the following Azure CLI command:

     az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --network-plugin azure

  2. Follow the steps to upgrade to the latest supported CNI version.

Backout Plan:

Using Azure Console:

  1. If upgrading to the latest CNI version causes issues, revert the CNI version to the previous stable version using the Azure portal.

Using Azure CLI:

  1. Revert to the previous CNI version by running the following command:

     az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --network-plugin azure --cni-version <previous-cni-version>

References:

  1. Azure Kubernetes Service (AKS) Networking Documentation

  2. Kubernetes CNI Documentation