Best practice rules for AKS
- Check for Kubernetes Version
Ensure that AKS clusters are using the latest available version of Kubernetes software.
- Cluster Disks Encrypted with Customer-Managed Keys
Use Customer-Managed Keys (CMKs) to encrypt Azure Kubernetes Service (AKS) cluster disks.
- Control Access to AKS Cluster Configuration File
Ensure that access to AKS cluster configuration file is controlled using Azure RBAC.
- Disable Public FQDN for Private AKS Clusters
Ensure that your private AKS clusters are not configured with a public FQDN.
- Enable Azure Role-Based Access Control (RBAC) for Kubernetes Authorization
Ensure that Azure Role-Based Access Control is enabled for Azure AKS clusters.
- Enable Backups for AKS Clusters
Ensure that Azure Backup service is configured to back up AKS clusters.
- Enable Defender for Cloud for AKS Clusters
Ensure that Microsoft Defender for Cloud is enabled for AKS clusters.
- Enable Federal Information Process Standard (FIPS) for AKS Cluster Node Pools
Enable Federal Information Process Standard (FIPS) for AKS cluster node pools to ensure compliance.
- Enable Image Cleaner for AKS Clusters
Enable Image Cleaner to clean up vulnerable stale images on your AKS clusters.
- Enable Image Integrity for AKS Clusters
Enable Image Integrity to ensure that your AKS clusters deploy only trusted images.
- Enable Kubernetes Role-Based Access Control
Ensure that Kubernetes Role-Based Access Control is enabled for Azure Kubernetes clusters.
- Enable Trusted Access for AKS Clusters
Enable Trusted Access to secure access for Azure cloud resources in Azure Kubernetes Service (AKS) clusters.
- Enable and Configure Node OS Auto-Upgrades
Enable and configure node OS auto-upgrades for Azure Kubernetes Service (AKS) clusters.
- Kubernetes API Version
Ensure that AKS clusters are using the latest version of Kubernetes API.
- Private Kubernetes Clusters
Ensure that your Azure Kubernetes Service (AKS) clusters are private.
- Rotate AKS Cluster Credentials
Ensure that your Azure Kubernetes Service (AKS) cluster credentials are regularly rotated.
- Secure Access to Kubernetes API Server Using Authorized IP Address Ranges
Ensure that public access to Kubernetes API server is restricted.
- Use Azure CNI Add-On for Managing Network Resources
Ensure that Azure Container Networking Interface (CNI) add-on is used for managing network resources.
- Use Azure Container Networking Interface (CNI) for AKS Clusters
Ensure that Azure CNI networking mode is configured for Azure Kubernetes clusters.
- Use Microsoft Entra ID Integration with Kubernetes RBAC
Ensure that Microsoft Entra ID integration with Kubernetes RBAC is enabled for Azure AKS clusters.
- Use Network Contributor Role for Managing Azure Network Resources
Ensure that AKS clusters are configured to use the Network Contributor role.
- Use Private Key Vaults for Encryption at Rest in Azure Kubernetes Service (AKS)
Ensure that Azure Kubernetes clusters are using a private Key Vault for secret data encryption.
- Use System-Assigned Managed Identities for AKS Clusters
Ensure that AKS clusters are using system-assigned managed identities.
- Use User-Assigned Managed Identities for AKS Clusters
Ensure that AKS clusters are using user-assigned managed identities.