Azure Kubernetes Service (AKS) offers Kubernetes as a managed service within Azure environments, which makes it a go-to choice for organizations that want an easy-to-manage Kubernetes solution in the cloud. However, while AKS makes Kubernetes management easier, security is still a shared responsibility that needs careful (and constant) attention from internal teams.
As containerized applications become more common, keeping AKS environments secure has become a major priority for security teams. But if you’re familiar with key security concepts, can identify potential threats, and follow Kubernetes security best practices, you and your team can maintain Kubernetes’ agility while ensuring that your containerized applications protect against ever-evolving threats.
An overview of key AKS security concepts
Before getting into specific security recommendations, it’s important to understand the foundational security components of AKS architecture:
Node security
AKS clusters are made up of control plane nodes (from Microsoft) and worker nodes that handle your workloads. Keeping worker nodes secure means ensuring proper OS hardening and container runtime security and controlling node access. Microsoft regularly updates node images with security patches, but it’s up to you to configure the right node pools and keep them up-to-date.
NSGs
Network security groups (NSGs) act as virtual firewalls for your AKS clusters, controlling inbound and outbound traffic between resources based on defined rules. Properly configured NSGs restrict unnecessary network traffic to your AKS clusters, which limits potential attack vectors.
Identity and access management
AKS integrates with Microsoft Entra ID (formerly Azure AD) for authentication and authorization. This lets you leverage existing identity systems to manage cluster access while implementing role-based access control (RBAC) to enforce the principle of least privilege across your Kubernetes resources.
Azure Security Best Practices [Cheat Sheet]
This cheat sheet helps you secure Azure environments with actionable tips on access control, workload hardening, and misconfiguration prevention.
Get cheat sheet
What are the top threats to AKS security?
Staying up-to-date on the latest threats is essential for building effective defenses. The most significant security risks facing AKS deployments include the following:
Unauthorized access: Weak authentication, overly permissive RBAC, or exposed credentials can lead to unauthorized cluster access and potentially compromise your entire environment.
Container vulnerabilities: Unpatched container images or misconfigured pods can create vulnerabilities that attackers might use to access your apps or the underlying infrastructure.
Lateral movement: Once inside a cluster, attackers often move laterally through the network to access sensitive resources or escalate privileges. Because of this, overlooking lateral movement in Kubernetes clusters is a significant threat.
Data exfiltration: Without proper network controls, attackers can steal sensitive data from your clusters and move it to an external server or location that they control.
Managed cluster risks: Managed services like AKS come with unique security challenges that standard Kubernetes security models don’t fully cover. These grey zone risks in managed cluster middleware require especially dedicated attention.
Lack of centralized policy enforcement: Without a centralized way to enforce policies, organizations can end up with inconsistent security practices across their clusters. This lack of consistency makes misconfigurations more likely, which can create vulnerabilities and open the door to potential security threats.
Inadequate logging and monitoring: Without proper logging and monitoring, it’s hard to spot and respond to suspicious activity quickly. And if security teams don’t have detailed logs and real-time monitoring, they can easily miss key warning signs, which delays their ability to handle incidents effectively.
Security considerations for AKS architecture
Even though Microsoft handles many aspects of AKS security, customers still bear significant responsibility under its shared responsibility model. Microsoft manages the underlying infrastructure’s security, but customers still need to set up any necessary guardrails to protect the applications, data, and access configurations within their clusters.
Here are some proactive measures your teams should take:
Configure RBAC
Create detailed network policies
Secure container images
Add control-plane and data-plane security measures
Secure communication between microservices
Multi-tenancy is common in AKS deployments, as multiple applications or teams could end up using the same cluster. In such cases, take adequate measures to avoid cross-proliferation of security issues.
8 essential AKS security best practices
To deploy your workloads securely in AKS clusters, implement these eight non-negotiable security practices:
1. Integrate with Microsoft Entra ID for identity and access management
To manage access permissions effectively, create Kubernetes Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings and integrate them with Microsoft Entra ID users and groups to define and control access.
To manage access to your AKS cluster resources, stick with Azure RBAC and follow the principle of least privilege. This way, users only get the permissions they really need for more controlled, secure access.
2. Configure cluster security
The Kubernetes API server processes all service requests, so it’s important to keep it secure by following the principle of least privilege. To keep from exposing the Kubernetes API to the Internet, set up a private AKS cluster where the control plane uses an internal IP address instead. Any traffic between the API server and AKS node pools will stay within a private VNet.
You can also control access to the control plane through options like bastion virtual machines, virtual network peering, VPN, and private endpoints—just make sure to manage your network with a load balancer.
Additionally, your AKS cluster should be using the latest stable version of Kubernetes. You can use the following command to upgrade AKS to the latest version:
az aks upgrade --resource-group
<<resourcegroupname>> --name
<<AKS clustername>>--kubernetes-version
<<KUBERNETES_VERSION>>Because Kubernetes doesn’t upgrade automatically, put a governance policy in place to test the latest version’s compatibility with your workloads in a development environment before deployment.
3. Implement pod security and credential protection
To maintain secure pod access to resources, specify pod security context settings and assign the minimum amount of permissions. Doing so restricts access to the underlying node processes and services.
To do this, use Microsoft Entra ID’s workload identity feature to securely access other Azure resources from AKS pods through a service account token volume projection mechanism. Add these settings to an API model JSON file to enable service account token volume projection:
{
"kubernetesConfig": {
"apiServerConfig": {
"--service-account-api-audiences": "api,istio-ca",
"--service-account-issuer": "kubernetes.default.svc",
"--service-account-signing-key-file": "/etc/kubernetes/certs/apiserver.key"
}
}
}For credential protection, use Azure Key Vault to store and retrieve keys and credentials from applications to prevent them from actively showing in your code.
4. Implement namespace isolation
Kubernetes offers built-in features to isolate teams and clusters while maintaining least privilege access to resources. Implementing namespace isolation, for instance, is essential for managing resources efficiently within Kubernetes. By using namespaces, you can logically separate resources and workloads, enabling higher pod density and better resource management.
If you’re supporting a multi-tenant architecture, Kubernetes RBAC is a great way to enforce the principle of least privilege and prevent unauthorized access. But for more security against hostile workloads, physically isolated clusters might be your best bet.
In AKS clusters, pod security admission is enabled by default. It uses labels to apply security policies for pods deployed to a namespace. For single-cluster deployments, this feature works out of the box. But if you’re looking to set up enterprise-grade policies with centralized management, you’ll need to configure your Azure policies accordingly.
5. Deploy secure container images
Integrating scanning tools like Trivy or Clair into your CI/CD workflow ensures that scanned container images are safe when your team deploys them to AKS clusters.
To help with this, implement a process to update base images, including any downstream container images linked to the base image, when security fixes launch. Then, add validation steps to your deployment pipeline to make sure only updated images deploy.
6. Enhance network security through CNI and network policies
While Azure supports both Kubenet networking and Azure CNI plug-in–based networking, Azure CNI offers smoother integration with Azure VNets, as well as on-prem networks. It also provides a vendor-neutral network protocol, where each pod receives its own IP from your network. This makes it easier to connect securely with other Azure and on-prem systems.
Kubernetes-native network policies are helpful for managing and restricting traffic between pods based on defined namespaces, labels, and ports. To prevent attackers from exploiting the host node from a compromised pod, create a network policy that blocks egress access from pods in all namespaces to the node metadata endpoint.
7. Integrate Azure Key Vault for secrets management
A distributed key-value store (like etcd) is useful for protecting Kubernetes secrets. But for additional security, integrate your AKS cluster with Azure Key Vault as a secrets store via a Container Storage Interface volume. This driver supports secrets synchronization, as well as mounted content autorotation.
Here’s how to integrate an AKS cluster with the Key Vault provider for Secrets Store CSI Driver:
az aks enable-addons --addons
azure-keyvault-secrets-provider --name
<<AKSClustername>> --resource-group
<<ResourceGroupname>>
\8. Enable comprehensive monitoring and logging through Azure Monitor
AKS provides metrics and logs that you can easily analyze with Azure Monitor’s built-in tools. To do this, regularly check the data from Azure Monitor on both the data plane and control plane for anything unusual, especially logs like AKSAudit, AKSAuditAdmin, and AKSControlPlane.
With Log Analytics, you can dig deeper into logs, create custom queries, and spot unauthorized access attempts, configuration changes, or suspicious API calls. To stay ahead, set up automated workflows that take action whenever certain conditions apply, too. Then, configure your security alerts based on metrics and logs to notify your team about any issues immediately.
Azure Cloud Visibility Best Practices [Cheat Sheet]
Get practical, easy-to-follow guidance for staying ahead of Azure security risks with our cheat sheet—covering visibility, misconfiguration prevention, and strategies to secure your cloud as it scales. Ask ChatGPT
Get Cheat Sheet
AKS security: Beyond native solutions
While the above practices offer a solid first line of defense against potential attacks, larger enterprise deployments often need more specialized solutions.
For example, advanced cloud security platforms can scan your AKS clusters and provide full visibility into vulnerabilities within clusters, hosts, and pods. The best solutions correlate risk information from the cloud and runtime to provide a prioritized view of vulnerabilities, threats, and misconfigurations.
Want to learn more about how to build a comprehensive security program for your container environments and enhance your security posture? Check out our list of top Kubernetes security tools.
Kubernetes Security Report
In this report - which is based on our scans of over 200,000 cloud accounts - we dive into the state of Kubernetes security, providing statistics that shed light on the prevalence of threats in Kubernetes environments and uncovering risks that often go unnoticed.
Download report
Secure your Kubernetes future today with Wiz
Securing AKS offers a way for you to significantly reduce your attack surface and protect your cloud native applications from potential threats. But it’s important to remember that AKS security is an ongoing process that requires continuous monitoring, regular updates, and the flexibility to tackle emerging threats.
That’s where Wiz comes in. Our cloud native Kubernetes security solution delivers the following Kubernetes features:
Complete visibility: Scan all containers, hosts, and clusters across various Kubernetes setups without blind spots.
In-depth risk assessments: Use Wiz’s Security Graph to prioritize container risks by combining data from containers, hosts, cloud providers, and Kubernetes APIs.
Shift-left security: Collaborate with development teams to preempt container security issues across the SDLC and scan infrastructure code, including Kubernetes YAML files and Dockerfiles.
Real-time threat detection: Monitor and detect malicious behavior in Kubernetes clusters for rapid response.
Watch 12-min demo: Securing Azure environments
Watch how Wiz uncovers misconfigurations, identity risks, and vulnerabilities across your cloud environment, with coverage for Azure.
Watch demo now
Wiz connects risk data from cloud and runtime environments to show you a prioritized view of vulnerabilities, threats, and misconfigurations. This helps early in the development process by scanning code and container images while adding guardrails to prevent unsigned images, untrusted content, and misconfigured apps from deploying.
Ready to get started? Download our Kubernetes Security Best Practices Cheat Sheet today to learn how you can more effectively secure your deployments.
Other security best practices you might be interested in: