Azure / AKS

Azure Kubernetes Service
https://azure.github.io/AKS/
1.97k stars 308 forks source link

AKS security patches and updates [Feature] #3225

Open leogtx opened 2 years ago

leogtx commented 2 years ago

This request is for specially for Azure managed services like AKS. Normally, when there is a vulnerability published for AKS or underlying Node Images or OS, we should have been informed such thing from Azure themself, rather we go through our threat intelligence forums and do the analysis for vulnerable versions running on AKS clusters.

Eg: Dirty Cred vulnerability- Here underlying image/ Operating systems (assume we are using Ubuntu) are vulnerable for this vulnerability. Azure did not inform this to us, because this is a Ubuntu vulnerability. But from our point of view, we are getting a managed service from Azure, that they will provide server, image, OS for our AKS clusters. In this case, Azure should be liable to inform such things to us, so we can plan upgrading them to non-vulnerable versions. Because, when we purchase a managed service, we expect you to inform us if any security vulnerabilities are existing in the current running versions. It should not be limited only for basic security updates, if any thing came across where we need to upgrade the kernel or cluster level, that should be come from the Azure side.

Please consider this and implement a notification mechanism for such.

Thank.

Describe the solution you'd like A clear and concise description of what you want to happen.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

ghost commented 1 year ago

Action required from @Azure/aks-pm

ghost commented 1 year ago

Issue needing attention of @Azure/aks-leads

CocoWang-wql commented 1 year ago

For a dynamic list to show vulnerabilities in one cluster, we plan to integrate Defender and make it visible in the Azure portal.

kaarthis commented 9 months ago

My understanding is you are requesting better proactive communication for canonical related security patches (Unmanaged) channel right ? This is unfortunately not in AKS control. However we highly recommend you switch to managed node os security options such as NodeImage , SecurityPatch(preview) that comes with internal testing, SDP, honors maintenance window , cordon / drain , PDBs etc. https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-os-image . Let me know if you have further concerns.