Strenghten your Azure Kubernetes cluster security: The top 5 must haves!

Microsoft’s Azure Kubernetes Services has many built-in security features. Additional ones are available as add-ons that can be configured from the Azure Controle plane. But what configurations should you use?

We will dive into the minimal set of configurations (so the absolute must-haves) you need to secure your cluster. Hop on and make sure that you use these practices as a starting point to build upon. Let’s begin!

Published: 05 December 2023

Must have 1: Entra ID Authentication

The safety of your AKS cluster’s control plane should be a top priority and Entra ID authentication enhances this protection. Typically, Kubernetes relies on the Kube configuration file stored on a user’s device. Sharing this file is risky as it can compromise your cluster. By integrating Entra ID into your Kubernetes control plan, you basically integrate an extra security dimension. This means that, even for config file-based approaches, Entra ID authentication becomes mandatory and can support multi-factor authentication when activated. It therefore ensures both, individual cluster security and centralized user management, across various clusters.


Must have 2: Entra ID Role-based access control (RBAC) 

Boost the security of your cluster with Azure’s role-based access control (RBAC). Though Kubernetes has its own RBAC, Azure’s AD Authentication improves upon it. With Entra ID role-based access control, you can allocate distinct roles to users and groups, guaranteeing that only approved individuals can access key AKS resources. This simplifies RBAC oversight within Azure.


Must have 3: Network Security

Container systems like Kubernetes are complex, making secure connectivity crucial.

These container solutions consist of many interlinked parts. We aim to provide these components with the essential network access they need while restricting other access points.

When you are setting up AKS, you mainly have three network policy choices:

• Azure network policy manager

• Calico network policies

• Cilium network policies

Only when using the Cilium data plane, the Container Networking Interface (CNI) that you choose, can offer additional networking and security features. Cilium for instance.

Select the best networking stack for your requirements and set up network policies right away. Because effective network security starts with a well-planned design.


Must have 4: ‘Managed identity’

Integrating Managed identity with AKS boosts security as there is a reduced need to store credentials (e.g. Service Principals) that can eventually expire.

In AKS, managed identities operate at multiple levels, from the AKS control plan to the tasks performed on the platform. For instance, they can be used to access the Azure Key Vault to pull secrets, keys, or certificates.


Must have 5: Key Vault

It is important to protect your sensitive information (e.g. API tokens, connection strings, and passwords). Among the best practices, using Azure Key Vault with AKS would stand out immediately.

When integrated with AKS, Azure Key Vault offers a superior approach to Kubernetes. It centralizes the storage of secrets for your pods, containers, and apps. The add-on ensures that data is stored inside the container for app access, rather than directly in AKS files. If you wish, you can also access Key Vault directly with Entra ID.


Key takeaway:

Securing your Azure Kubernetes Service cluster doesn’t have a single ‘magic’ solution. It requires a combination of add-ons, settings, and design strategies.

There are many security options available, both from Azure and third parties such as CNCF. Begin by following the best practices outlined in this section and adjust them based on your changing needs.

Benieuwd wat we voor u kunnen betekenen?

Need further insight and enhanced security for your Azure environment?

Seize this opportunity and request a free Security Scan now!