Best practice rules for AKS
Trend Micro Cloud One™ – Conformity monitors AKS with the following rules:
- Check for Kubernetes Version
Ensure that AKS clusters are using the latest available version of Kubernetes software.
- Enable Defender for Cloud for AKS Clusters
Ensure that Microsoft Defender for Cloud is enabled for AKS clusters.
- Enable Kubernetes Role-Based Access Control
Ensure that Kubernetes Role-Based Access Control is enabled for Azure Kubernetes clusters.
- Kubernetes API Version
Ensure that AKS clusters are using the latest version of Kubernetes API.
- Secure Access to Kubernetes API Server Using Authorized IP Address Ranges
Ensure that public access to Kubernetes API server is restricted.
- Use Azure CNI Add-On for Managing Network Resources
Ensure that Azure Container Networking Interface (CNI) add-on is used for managing network resources.
- Use Azure Container Networking Interface (CNI) for AKS Clusters
Ensure that Azure CNI networking mode is configured for Azure Kubernetes clusters.
- Use Microsoft Entra ID Integration for AKS Clusters
Ensure that Microsoft Entra ID integration is enabled for Azure Kubernetes clusters.
- Use Network Contributor Role for Managing Azure Network Resources
Ensure that AKS clusters are configured to use the Network Contributor role.
- Use Private Key Vaults for Encryption at Rest in Azure Kubernetes Service (AKS)
Ensure that Azure Kubernetes clusters are using a private Key Vault for secret data encryption.
- Use System-Assigned Managed Identities for AKS Clusters
Ensure that AKS clusters are using system-assigned managed identities.
- Use User-Assigned Managed Identities for AKS Clusters
Ensure that AKS clusters are using user-assigned managed identities.