Microsoft AKS best practices

Best practice rules for AKS

• Check for CNI Plugin Version

  Ensure that the latest version of the CNI plugin is used for your AKS clusters.

• Check for Kubernetes Version

  Ensure that AKS clusters are using the latest available version of Kubernetes software.

• Cluster Disks Encrypted with Customer-Managed Keys

  Use Customer-Managed Keys (CMKs) to encrypt Azure Kubernetes Service (AKS) cluster disks.

• Control Access to AKS Cluster Configuration File

  Ensure that access to AKS cluster configuration file is controlled using Azure RBAC.

• Disable Public FQDN for Private AKS Clusters

  Ensure that your private AKS clusters are not configured with a public FQDN.

• Enable Azure Role-Based Access Control (RBAC) for Kubernetes Authorization

  Ensure that Azure Role-Based Access Control is enabled for Azure AKS clusters.

• Enable Backups for AKS Clusters

  Ensure that Azure Backup service is configured to back up AKS clusters.

• Enable Defender for Cloud for AKS Clusters

  Ensure that Microsoft Defender for Cloud is enabled for AKS clusters.

• Enable Federal Information Process Standard (FIPS) for AKS Cluster Node Pools

  Enable Federal Information Process Standard (FIPS) for AKS cluster node pools to ensure compliance.

• Enable Image Cleaner for AKS Clusters

  Enable Image Cleaner to clean up vulnerable stale images on your AKS clusters.

• Enable Image Integrity for AKS Clusters

  Enable Image Integrity to ensure that your AKS clusters deploy only trusted images.

• Enable Image Vulnerability Scanning

  Enable image vulnerability scanning for Azure Kubernetes Service (AKS) clusters.

• Enable Kubernetes Role-Based Access Control

  Ensure that Kubernetes Role-Based Access Control is enabled for Azure Kubernetes clusters.

• Enable Support for Network Policies

  Ensure that AKS clusters are using network policies for proper segmentation and security.

• Enable Trusted Access for AKS Clusters

  Enable Trusted Access to secure access for Azure cloud resources in Azure Kubernetes Service (AKS) clusters.

• Enable and Configure Node OS Auto-Upgrades

  Enable and configure node OS auto-upgrades for Azure Kubernetes Service (AKS) clusters.

• Kubernetes API Version

  Ensure that AKS clusters are using the latest version of Kubernetes API.

• Kubernetes Clusters with Private Nodes

  Ensure that your Azure Kubernetes Service (AKS) clusters are created with private nodes.

• Private Kubernetes Clusters

  Ensure that your Azure Kubernetes Service (AKS) clusters are private.

• Rotate AKS Cluster Credentials

  Ensure that your Azure Kubernetes Service (AKS) cluster credentials are regularly rotated.

• Secure Access to Kubernetes API Server Using Authorized IP Address Ranges

  Ensure that public access to Kubernetes API server is restricted.

• Use Azure CNI Add-On for Managing Network Resources

  Ensure that Azure Container Networking Interface (CNI) add-on is used for managing network resources.

• Use Azure Container Networking Interface (CNI) for AKS Clusters

  Ensure that Azure CNI networking mode is configured for Azure Kubernetes clusters.

• Use Microsoft Entra ID Integration with Kubernetes RBAC

  Ensure that Microsoft Entra ID integration with Kubernetes RBAC is enabled for Azure AKS clusters.

• Use Network Contributor Role for Managing Azure Network Resources

  Ensure that AKS clusters are configured to use the Network Contributor role.

• Use Private Key Vaults for Encryption at Rest in Azure Kubernetes Service (AKS)

  Ensure that Azure Kubernetes clusters are using a private Key Vault for secret data encryption.

• Use System-Assigned Managed Identities for AKS Clusters

  Ensure that AKS clusters are using system-assigned managed identities.

• Use User-Assigned Managed Identities for AKS Clusters

  Ensure that AKS clusters are using user-assigned managed identities.