Profile Applicability:

  • Level 1

Description:
 Container images must be scanned for vulnerabilities to identify and mitigate potential security risks before they are deployed in the Kubernetes cluster. This check ensures that image vulnerability scanning is enabled using Microsoft Defender for Cloud (MDC) or an approved third-party scanning provider.

Rationale:
 Vulnerability scanning of container images is essential for maintaining the security of the Kubernetes environment. Scanning images helps detect known vulnerabilities in the application code, operating system packages, and other dependencies before they are deployed in the production environment. By using tools like Microsoft Defender for Cloud or third-party providers, you can ensure that container images are safe and do not introduce security risks.

Impact:

  • Pros:

    • Identifies vulnerabilities early in the CI/CD pipeline, reducing the risk of deploying vulnerable containers.

    • Enhances security by integrating automated image scanning into the Kubernetes deployment process.

    • Helps comply with security best practices and regulatory requirements.

  • Cons:

    • Requires configuration and integration of Microsoft Defender for Cloud or a third-party provider.

    • May add some overhead in terms of resource usage during the scanning process.

Default Value:
 By default, image vulnerability scanning is not enabled in AKS. Microsoft Defender for Cloud (MDC) or third-party solutions must be manually configured to perform image scanning.

Pre-requisites:
 Ensure that Microsoft Defender for Cloud or a third-party vulnerability scanning provider is configured and integrated with your Azure Kubernetes Service (AKS) cluster.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and go to Microsoft Defender for Cloud.

  2. Verify that container image scanning is enabled and that the AKS cluster is connected to Microsoft Defender for Cloud (MDC).

  3. Check the Defender for Cloud dashboard for any vulnerabilities reported for container images.

Using Azure CLI:

  1. Use the following command to check if Microsoft Defender for Cloud is enabled for your AKS cluster:

     az security pricing show --name ContainerRegistry

  2. Ensure that container image scanning is enabled and active. If using a third-party scanning provider, ensure its integration is properly configured.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, navigate to Microsoft Defender for Cloud and ensure it is enabled for your Azure Kubernetes Service (AKS).

  2. Configure Microsoft Defender for Cloud to scan container images by enabling Container Registry Security.

  3. Ensure that image scanning is turned on for Azure Container Registry (ACR) or whichever container registry you are using.

Using Azure CLI:

  1. Enable Microsoft Defender for Cloud for your AKS cluster by running the following command:

     az security pricing create --name ContainerRegistry --tier Standard

  2. Verify that vulnerability scanning is enabled on your container registry:

     az acr update --name <acr-name> --sku Premium --enable-image-scanning true

  3. Alternatively, if using a third-party provider, integrate it into your CI/CD pipeline to scan container images during the build process.

Backout Plan:

Using Azure Console:

  1. If enabling image vulnerability scanning causes issues, revert the settings in the Azure portal by disabling vulnerability scanning or switching to another scanning provider.

Using Azure CLI:

  1. Revert the image scanning settings by disabling vulnerability scanning:

    az acr update --name <acr-name> --disable-image-scanning true

  2. Disable Microsoft Defender for Cloud container security if necessary:

     az security pricing create --name ContainerRegistry --tier Free

References:

  1. Microsoft Defender for Cloud Overview

  2. Azure Container Registry Image Scanning

  3. Kubernetes Security Best Practices