Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Kubernetes API Version

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

To maximize the benefits of your Azure Kubernetes Service (AKS) clusters, it is important to ensure they are running on the latest Kubernetes version. By doing so, you gain access to new and improved features, as well as the latest security patches. The Kubernetes API upgrade becomes fully available only after it is approved by Microsoft Azure.

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Using the latest version of the Kubernetes API for your AKS clusters is vital for leveraging new features, enhancements, and security fixes. It ensures access to the most recent advancements, optimal performance, and protection against vulnerabilities. Staying up-to-date with the Kubernetes platform helps maximize productivity and maintain a secure and efficient container orchestration environment.

Audit

To determine if your AKS clusters are using the latest version of Kubernetes API, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Kubernetes service and choose Apply to list the Azure Kubernetes Service (AKS) clusters available in the selected subscription.

05 Click on the name (link) of the AKS cluster that you want to examine.

06 In the resource navigation panel, under Settings, select Cluster configuration, and check the version of the Kubernetes API installed on your cluster. If the following message is not displayed within the Kubernetes version section: This cluster is using the latest available version of Kubernetes and the Upgrade version button is available, the selected Azure Kubernetes Service (AKS) cluster is not using the latest available version of the Kubernetes API.

07 Repeat steps no. 5 – 7 for each AKS cluster provisioned in the selected Azure subscription.

08 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run aks list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the current subscription: 

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested AKS cluster names: 

Name                     ResourceGroup
----------------------   ------------------------------
cc-project5-aks-cluster  cloud-shell-storage-westeurope
cc-data-mining-cluster   cloud-shell-storage-westeurope

03 Run aks get-upgrades command (Windows/macOS/Linux) using the name of the AKS cluster that you want to examine and its associated resource group as the identifier parameters to describe the version of the Kubernetes API installed on the cluster and the latest Kubernetes API version(s) available for upgrade: 

az aks get-upgrades
  --name cc-project5-aks-cluster
  --resource-group cloud-shell-storage-westeurope
  --output table

04 The command output should return a table with the requested Kubernetes API details: 

Name     ResourceGroup                   MasterVersion    Upgrades
-------  ------------------------------  ---------------  --------------
default  cloud-shell-storage-westeurope  1.25.6           1.26.0, 1.26.3

The version(s) listed in the Upgrades column represents the latest available version of Kubernetes API that can be installed on your AKS cluster. If the version listed for the MasterVersion is different than the newest one available within the Upgrades column, the selected Azure Kubernetes Service (AKS) cluster is not using the latest version of the Kubernetes API.

05 Repeat step no. 3 and 4 for each AKS cluster available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To upgrade your Azure Kubernetes Service (AKS) clusters to the latest version of Kubernetes API, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Kubernetes service and choose Apply to list the Azure Kubernetes Service (AKS) clusters available in the selected subscription.

05 Click on the name (link) of the AKS cluster that you want to upgrade.

06 In the resource navigation panel, under Settings, select Cluster configuration and choose Upgrade version.

07 Select the latest version of the Kubernetes API from the Kubernetes version dropdown list and choose Upgrade control plane + all node pools for Upgrade scope. Choose Save to apply the changes and start the Kubernetes API upgrade process.

08 Repeat steps no. 5 – 7 for each AKS cluster that you want to relaunch, available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run aks upgrade command (Windows/macOS/Linux) to upgrade the selected AKS cluster to the latest version of the Kubernetes API. The upgrade will roll out safely in stages so your container applications can continue to run while the upgrade is in progress: 

az aks upgrade 
  --name cc-project5-aks-cluster 
  --resource-group cloud-shell-storage-westeurope 
  --kubernetes-version 1.26.3

02 The aks upgrade command request should ask for your confirmation. Press y twice to confirm: 

Kubernetes may be unavailable during cluster upgrades.
Are you sure you want to perform this operation? (y/n): y
Since control-plane-only argument is not specified, this will upgrade the control plane AND all nodepools to version 1.26.3. Continue? (y/n): y

03 Once the upgrade process is completed, the command output should return the information available for the modified cluster: 

{
	"aadProfile": null,
	"addonProfiles": {
		"azureKeyvaultSecretsProvider": {
			"config": null,
			"enabled": false,
			"identity": null
		},
		"azurepolicy": {
			"config": null,
			"enabled": false,
			"identity": null
		}
	},
	"apiServerAccessProfile": null,
	"autoUpgradeProfile": {
		"upgradeChannel": "none"
	},
	"azureMonitorProfile": null,
	"currentKubernetesVersion": "1.26.3",
	"disableLocalAccounts": false,
	"diskEncryptionSetId": null,
	"dnsPrefix": "cc-project5-aks-cluster-dns",
	"enablePodSecurityPolicy": null,
	"enableRbac": true,
	"extendedLocation": null,
	"fqdn": "cc-project5-aks-cluster-dns-abcd1234.hcp.westeurope.azmk8s.io",
	"fqdnSubdomain": null,
	"httpProxyConfig": null,
	"kubernetesVersion": "1.26.3",
	"linuxProfile": null,
	"location": "westeurope",
	"maxAgentPools": 100,
	"name": "cc-project5-aks-cluster",
	"nodeResourceGroup": "MC_cloud-shell-storage-westeurope_cc-project5-aks-cluster_westeurope",
	"oidcIssuerProfile": {
		"enabled": false,
		"issuerUrl": null
	},
	"podIdentityProfile": null,
	"powerState": {
		"code": "Running"
	},
	"privateFqdn": null,
	"privateLinkResources": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"securityProfile": {
		"azureKeyVaultKms": null,
		"defender": null,
		"imageCleaner": null,
		"workloadIdentity": null
	},
	"servicePrincipalProfile": {
		"clientId": "msi",
		"secret": null
	},
	"sku": {
		"name": "Base",
		"tier": "Free"
	},
	"storageProfile": {
		"blobCsiDriver": null,
		"diskCsiDriver": {
			"enabled": true
		},
		"fileCsiDriver": {
			"enabled": true
		},
		"snapshotController": {
			"enabled": true
		}
	},
	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"tags": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"windowsProfile": null,
	"workloadAutoScalerProfile": {
		"keda": null
	}
}

04 Repeat steps no. 1 – 3 for each AKS cluster deployed within the current subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 8, 2023

Related AKS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Kubernetes API Version

Risk Level: High