Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for CNI Plugin Version

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Azure Kubernetes Service (AKS) clusters are configured to use the latest version of the Container Networking Interface (CNI) plugin for managing network access. The CNI plugin used must support Kubernetes network policies.

Security
Operational
excellence

Network policies are Kubernetes resources that allow you to control the traffic between pods and services within the cluster. These policies are useful for enforcing security policies, isolating applications, and debugging network connectivity issues. Network policies rely on the Container Networking Interface (CNI) plugin for enforcement. Using an outdated or unsupported CNI plugin can prevent effective traffic restriction within your AKS cluster.

Audit

To determine if your AKS clusters are using the latest version of the CNI plugin, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.

05 Click on the name (link) of the AKS cluster that you want to examine.

06 In the resource navigation panel, under Settings, select Networking.

07 Choose the Overview tab to access the essential networking configuration settings available for the selected AKS cluster.

08 In the Network profile section, check the Network policy attribute value. If Network policy is set to None, the CNI plugin configured for the selected AKS cluster is not configured to enforce network policies, therefore, the Audit process ends here. If Network policy is set to Azure, Calico, or Cilium, continue the Audit process with the next step.

09 In the resource navigation panel, under Settings, select Cluster configuration.

10 In the Upgrade section, choose Upgrade version for Kubernetes version, and check the Kubernetes version installed on your AKS cluster, selected from the Kubernetes version dropdown list. If the selected Azure Kubernetes Service (AKS) cluster is not using the latest stable version of Kubernetes, the CNI plugin installed on this cluster is outdated.

11 Repeat steps no. 5 – 10 for each AKS cluster provisioned in the selected Azure subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription: 

az aks list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AKS cluster names: 

Name                    ResourceGroup
----------------------  ------------------------------
cc-project5-aks-cluster  cloud-shell-storage-westeurope
cc-data-mining-cluster   cloud-shell-storage-westeurope

06 Run aks show command (Windows/macOS/Linux) with the name of the AKS cluster that you want to examine (and the associated resource group) as identifier parameters, to determine if the Azure CNI plugin is installed on the selected AKS cluster: 

az aks show
	--name cc-project5-aks-cluster
	--resource-group cloud-shell-storage-westeurope
	--query 'networkProfile.networkPlugin'

07 The command output should return the name of the networking plugin used by the selected cluster. If the aks show command output returns "kubenet", the Audit process ends here. If the command output returns "azure", the Azure CNI plugin is installed on the selected cluster and you can continue the Audit process with the next step: 

"azure"

08 Run aks show command (Windows/macOS/Linux) to determine the network policy enforced by the Container Networking Interface (CNI) plugin for the selected AKS cluster: 

az aks show
	--name cc-project5-aks-cluster
	--resource-group cloud-shell-storage-westeurope
	--query 'networkProfile.networkPolicy'

09 The command output should return the name of the network policy used by the CNI plugin. If the aks show command output returns "none", the CNI plugin configured for the selected AKS cluster is not configured to enforce network policies, therefore, the Audit process ends here. If the command output returns "azure", "calico", or "cilium", you can continue the Audit process with the next step: 

"azure"

10 Run aks get-upgrades command (Windows/macOS/Linux) to describe the version of the Kubernetes software installed on the selected AKS cluster and the latest stable Kubernetes version(s) available for upgrade: 

az aks get-upgrades
	--name cc-project5-aks-cluster
	--resource-group cloud-shell-storage-westeurope
	--output table

11 The command output should return a table with the requested Kubernetes details: 

Name     ResourceGroup                   MasterVersion    Upgrades
-------  ------------------------------  ---------------  --------------------------------------
default  cloud-shell-storage-westeurope  1.30.9           1.31.1, 1.31.2, 1.31.3, 1.31.4, 1.31.5

The version(s) listed in the Upgrades column represents the latest available version of Kubernetes software that can be installed on the selected AKS cluster. If the version listed for the MasterVersion and/or NodePoolVersion is different than the newest one available in the Upgrades column, the selected Azure Kubernetes Service (AKS) cluster is not using the latest available version of Kubernetes. As a result, the CNI plugin installed on this cluster is outdated.

12 Repeat steps no. 6 - 11 for each AKS cluster available within the selected Azure subscription.

13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure Kubernetes Service (AKS) clusters are configured with the latest version of the Container Networking Interface (CNI) plugin for managing network access, you must upgrade the AKS clusters to the latest version of the Kubernetes software. To upgrade your AKS clusters, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.

05 Click on the name (link) of the AKS cluster that you want to configure.

06 If the selected AKS cluster is not using the Azure CNI plugin for managing network access, follow the instructions outlined on this KB page to install the required CNI plugin.

07 If the selected AKS cluster is not configured to use network policies (enforced by the CNI plugin), follow the steps outlined on this KB page to enable support for network policies.

08 In the resource navigation panel, under Settings, select Cluster configuration.

09 In the Upgrade section, choose Upgrade version for Kubernetes version, then choose the latest supported version of the Kubernetes software from Kubernetes version dropdown list. Choose Save to apply the configuration changes and start the upgrade process. Upgrading your AKS cluster may take up to 10 minutes per node.

10 Repeat step no. 5 - 9 for each AKS cluster provisioned in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 If the AKS cluster that you want to configure is not using the Azure CNI plugin for managing network access, follow the instructions outlined on this KB page to install the required CNI plugin.

05 If the AKS cluster that you want to upgrade is not configured to use network policies (enforced by the CNI plugin), follow the steps outlined on this KB page to enable support for network policies.

06 Run aks upgrade command (Windows/macOS/Linux) to upgrade the selected AKS cluster to the latest stable version of the Kubernetes software (in this case, Kubernetes 1.31.5). This will also upgrade the Container Networking Interface (CNI) plugin installed on the cluster to the latest version. The upgrade will roll out safely in stages so your container applications can continue to run while the upgrade is in progress. Upgrading your cluster may take up to 10 minutes per node: 

az aks upgrade
	--name cc-project5-aks-cluster
	--resource-group cloud-shell-storage-westeurope
	--kubernetes-version 1.31.5

07 The aks upgrade command request should ask for your confirmation. Type y and press Enter to confirm: 

Kubernetes may be unavailable during cluster upgrades.
Are you sure you want to perform this operation? (y/n): y

08 Once the upgrade process is completed, the command output should return the configuration information available for the configured cluster: 

{
	"aadProfile": {
		"adminGroupObjectIDs": null,
		"adminUsers": null,
		"clientAppId": null,
		"enableAzureRbac": true,
		"managed": true,
		"serverAppId": null,
		"serverAppSecret": null,
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
	},

	...

	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"upgradeSettings": null,
	"windowsProfile": {
		"adminPassword": null,
		"adminUsername": "azureuser",
		"enableCsiProxy": true,
		"licenseType": null
	}
}

09 Repeat steps no. 6 - 8 for each AKS cluster deployed within the current Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Mar 25, 2024

Related AKS rules