Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Image Integrity for AKS Clusters

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Azure Kubernetes Service (AKS) clusters are configured to use Image Integrity in order to validate signed images before deploying them. Image Integrity for Azure Kubernetes Service (AKS) clusters is a feature that ensures container images are secure and have not been tampered with. It verifies the integrity of images by using cryptographic signatures and policies, ensuring that only trusted and unaltered images are deployed.

Security

Enabling Image Integrity for Azure Kubernetes Service (AKS) clusters helps protect against deploying compromised or tampered container images, ensuring that only trusted, secure images are used, which enhances the overall security of your applications and infrastructure.

Audit

To determine if Image Integrity is enabled for your Azure Kubernetes Service (AKS) clusters, perform the following operations:

Checking the Image Integrity feature status for AKS clusters using Microsoft Azure Portal (Azure Console) is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription: 

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AKS cluster names: 

Name                    ResourceGroup
----------------------  ------------------------------
cc-data-mining-cluster  cloud-shell-storage-westeurope
cc-project5-cluster     cloud-shell-storage-westeurope

06 Run aks show command (Windows/macOS/Linux) with the name of the AKS cluster that you want to examine (and the associated resource group) as identifier parameters, to determine if the Azure Policy add-on is enabled for the selected AKS cluster. Azure Policy add-on for AKS is required for enabling the Image Integrity feature: 

az aks show
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --query 'addonProfiles.azurepolicy.enabled'

07 The command output should return the Azure Policy add-on status (true for enabled, false for disabled): 

false

If the aks show command output returns false, Azure Policy add-on for AKS is not installed on the selected Azure Kubernetes Service (AKS) cluster, therefore, the Audit process ends here. If the command output returns true, you can continue the Audit process with the next step.

08 Run aks show command (Windows/macOS/Linux) to determine if the Image Integrity feature is enabled for the selected AKS cluster: 

az aks show
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --query '{imageIntegrity:securityProfile.imageIntegrity.enabled}'

09 The command output should return the requested feature status (true for enabled, null or false for disabled): 

{
	"imageIntegrity": false
}

If the aks show command output returns null or false, as shown in the example above, the Image Integrity feature is not enabled for the selected Azure Kubernetes Service (AKS) cluster.

10 Repeat steps no. 6 - 9 for each AKS cluster available within the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable the Image Integrity feature for your Azure Kubernetes Service (AKS) clusters, perform the following operations:

Enabling Image Integrity for AKS clusters using Microsoft Azure Portal (Azure Console) is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run extension add command (OSX/Linux/UNIX) to install the aks-preview Azure CLI extension. This extension provides a preview for new and upcoming Azure Kubernetes Service (AKS) features (the command does not produce an output): 

az extension add --name aks-preview

05 Run feature register command (OSX/Linux/UNIX) to register the EnableImageIntegrityPreview feature flag for the selected Azure subscription: 

az feature register
  --namespace "Microsoft.ContainerService"
  --name "EnableImageIntegrityPreview"

06 The command output should return the registration information available for the EnableImageIntegrityPreview feature: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/EnableImageIntegrityPreview",
	"name": "Microsoft.ContainerService/EnableImageIntegrityPreview",
	"properties": {
	  "state": "Registering"
	},
	"type": "Microsoft.Features/providers/features"
}

07 Run feature register command (OSX/Linux/UNIX) to register the AKS-AzurePolicyExternalData feature flag for the selected Azure subscription: 

az feature register
  --namespace "Microsoft.ContainerService"
  --name "AKS-AzurePolicyExternalData"

08 The command output should return the registration information available for the AKS-AzurePolicyExternalData feature: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/AKS-AzurePolicyExternalData",
	"name": "Microsoft.ContainerService/AKS-AzurePolicyExternalData",
	"properties": {
		"state": "Registering"
	},
	"type": "Microsoft.Features/providers/features"
}

09 Run provider register command (OSX/Linux/UNIX) to refresh the registration of the Microsoft.ContainerService resource provider for the selected subscription: 

az provider register --namespace Microsoft.ContainerService

10 Run aks addon enable command (OSX/Linux/UNIX) to install the Azure Policy add-on for Azure Kubernetes Service (AKS). This add-on is required for enabling the Image Integrity feature on your AKS clusters: 

az aks addon enable
  --addon azure-policy
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope

11 The command output should return the configuration information available for the modified AKS cluster: 

{
	"aadProfile": {
		"adminGroupObjectIDs": null,
		"adminUsers": null,
		"clientAppId": null,
		"enableAzureRbac": true,
		"managed": true,
		"serverAppId": null,
		"serverAppSecret": null,
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
	},
	"addonProfiles": {
		"azureKeyvaultSecretsProvider": {
			"config": null,
			"enabled": false,
			"identity": null
		},
		"azurepolicy": {
			"config": null,
			"enabled": true,
			"identity": {
				"objectId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
				"resourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/MC_cloud-shell-storage-westeurope_cc-data-mining-cluster_westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/azurepolicy-cc-data-mining-cluster"
			}
		}
	},

	...

	"storageProfile": {
	"blobCsiDriver": null,
	"diskCsiDriver": {
		"enabled": true,
		"version": "v1"
	},
	"fileCsiDriver": {
		"enabled": true
	},
	"snapshotController": {
		"enabled": true
	}
	},
	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"tags": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"upgradeSettings": null,
	"windowsProfile": {
	"adminPassword": null,
	"adminUsername": "azureuser",
	"enableCsiProxy": true,
	"gmsaProfile": null,
	"licenseType": null
	},
	"workloadAutoScalerProfile": {
	"keda": null,
	"verticalPodAutoscaler": null
	}
}

12 Run aks update command (OSX/Linux/UNIX) to enable the OIDC issuer for the selected AKS cluster. Enabling the OIDC issuer on an existing aks cluster changes the current service account token issuer to a new value, which can cause downtime as it restarts the Kubernetes API server. Skip this step if you have the OIDC issuer already installed on your AKS cluster: 

az aks update
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --enable-oidc-issuer

13 The command output should return the configuration information available for the modified cluster: 

{
	"aadProfile": {
		"adminGroupObjectIDs": null,
		"adminUsers": null,
		"clientAppId": null,
		"enableAzureRbac": true,
		"managed": true,
		"serverAppId": null,
		"serverAppSecret": null,
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
	},

	...

	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"upgradeSettings": null,
	"windowsProfile": {
		"adminPassword": null,
		"adminUsername": "azureuser",
		"enableCsiProxy": true,
		"gmsaProfile": null,
		"licenseType": null
	}
}

14 Run aks update command (OSX/Linux/UNIX) to enable the Image Integrity feature for the selected Azure Kubernetes Service (AKS) cluster: 

az aks update
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --enable-image-integrity

15 The command output should return the configuration information available for the modified AKS cluster: 

{
	"aadProfile": {
		"adminGroupObjectIDs": [
			"abcdabcd-1234-abcd-1234-abcdabcdabcd"
		],
		"clientAppId": null,
		"enableAzureRbac": true,
		"managed": true,
		"serverAppId": null,
		"serverAppSecret": null,
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
	},

	...

	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"tags": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"upgradeSettings": null,
	"windowsProfile": null,
	"workloadAutoScalerProfile": {
		"keda": null,
		"verticalPodAutoscaler": null
	}
  }

16 Repeat steps no. 10 - 15 for each AKS cluster that you want to configure, available within the selected Azure subscription.

17 Repeat steps no. 3 – 16 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 21, 2024

Related AKS rules