Azure AKS Security Implementation
Azure AKS Security Implementation
Azure Kubernetes Service integrates deeply with Azure Active Directory and Azure security services. AKS-managed Azure AD integration simplifies authentication while providing enterprise-grade identity management. Azure Policy for AKS enables governance at scale, enforcing security configurations across multiple clusters.
Azure AD pod-managed identities provide secure access to Azure resources without storing credentials. Similar to AWS IRSA and GKE Workload Identity, this feature enables fine-grained permissions for specific workloads. Integration with Azure Key Vault through the Secrets Store CSI Driver enables secure secret management without storing sensitive data in Kubernetes.
# AKS cluster with security hardening
resource "azurerm_kubernetes_cluster" "primary" {
name = "production-cluster"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
dns_prefix = "prod-aks"
kubernetes_version = "1.28.0"
# Azure AD integration
azure_active_directory_role_based_access_control {
managed = true
admin_group_object_ids = [data.azurerm_client_config.current.object_id]
azure_rbac_enabled = true
}
# Network configuration
network_profile {
network_plugin = "azure"
network_policy = "calico"
load_balancer_sku = "standard"
outbound_type = "userDefinedRouting"
# Private cluster
private_cluster_enabled = true
private_cluster_public_fqdn_enabled = false
}
# Default node pool with security settings
default_node_pool {
name = "system"
node_count = 3
vm_size = "Standard_DS2_v2"
availability_zones = ["1", "2", "3"]
enable_auto_scaling = true
min_count = 3
max_count = 5
# Host encryption
enable_host_encryption = true
# Ephemeral OS disk for security
os_disk_type = "Ephemeral"
# Node security
enable_node_public_ip = false
only_critical_addons_enabled = true
}
# Key Management
key_management_service {
key_vault_key_id = azurerm_key_vault_key.cluster.id
key_vault_network_access = "Private"
}
# Defender for Cloud
microsoft_defender {
log_analytics_workspace_id = azurerm_log_analytics_workspace.security.id
}
# Pod security policy (deprecated, using Pod Security Standards)
pod_security_policy_enabled = false
# OIDC issuer for workload identity
oidc_issuer_enabled = true
# Disk encryption
disk_encryption_set_id = azurerm_disk_encryption_set.aks.id
}
---
# Azure AD Workload Identity
apiVersion: v1
kind: ServiceAccount
metadata:
name: workload-identity-sa
namespace: production
annotations:
azure.workload.identity/client-id: "00000000-0000-0000-0000-000000000000"
azure.workload.identity/tenant-id: "00000000-0000-0000-0000-000000000000"
---
# Azure Policy assignment for AKS
resource "azurerm_policy_assignment" "aks_baseline" {
name = "aks-baseline-standards"
scope = azurerm_kubernetes_cluster.primary.id
policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d"
parameters = jsonencode({
effect = {
value = "Deny"
}
excludedNamespaces = {
value = ["kube-system", "kube-public", "kube-node-lease", "gatekeeper-system"]
}
})
identity {
type = "SystemAssigned"
}
}
---
# Key Vault integration
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: azure-keyvault-secrets
namespace: production
spec:
provider: azure
parameters:
usePodIdentity: "false"
useVMManagedIdentity: "true"
userAssignedIdentityID: "00000000-0000-0000-0000-000000000000"
keyvaultName: "prod-keyvault"
cloudName: "AzurePublicCloud"
objects: |
array:
- |
objectName: database-password
objectType: secret
objectAlias: DB_PASSWORD
- |
objectName: storage-key
objectType: secret
objectAlias: STORAGE_KEY
tenantId: "00000000-0000-0000-0000-000000000000"
Microsoft Defender for Containers provides runtime security and compliance monitoring for AKS clusters. This cloud-native security solution detects threats, provides security recommendations, and enables compliance assessment against standards like CIS benchmarks. Integration with Azure Sentinel enables advanced threat hunting and security orchestration.