search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.31k stars 21.49k forks source link

AKS base image and security scanners #38440

Closed xSilverboltx closed 5 years ago

xSilverboltx commented 5 years ago

Please add in a section or additional information to the security issues and patching section regarding false positives or generic vulnerability information produced by 3 party scanners for customers that may want the base AKS image to be harden or altered.

https://docs.microsoft.com/en-us/azure/aks/support-policies#security-issues-and-patching

I do understand that the unsupported section does have a statement about not supporting 3rd party scanners but there is no statement about vulnerabilities found by 3rd party scanners.

https://docs.microsoft.com/en-us/azure/aks/support-policies#aks-support-coverage

Third-party closed-source software. This software can include security scanning tools and networking devices or software

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

mimckitt commented 5 years ago

Thanks for the feedback! I have assigned the issue to the content author to investigate further and update the document as appropriate.

CC @mlearned

jnoller commented 5 years ago

I will have to think about this request. As 3rd party open source or closed source vulnerability tools are outside of our control, including what cves, patches, or issues they are tracking. Due to this, a document enumerating all possible issues reported by scanning tools is not feasible.

As AKS does not support custom OS images, we are evaluating plans for a smaller purpose built linux distribution for customers requiring a smaller surface.

Users are warned that ssh'ing into worker nodes to install tools, modify, etc will not work as expected as those changes do not persist across upgrades, scale events, etc.

mimckitt commented 5 years ago

@jnoller any update on this?

jnoller commented 5 years ago

@MicahMcKittrick-MSFT No, per my comment this change is outside the scope of the current product, and is not technically supported.

mimckitt commented 5 years ago

Got it. Thanks! I will close this out then. If you want it reopened just let me know.