Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Kubernetes Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of ris)
Rule ID: AKS-002

Ensure that your Azure Kubernetes Service (AKS) clusters are using the latest available version of Kubernetes platform in order to receive new or enhanced features and the most recent security fixes. The Kubernetes version upgrade becomes fully available only after it is approved by Microsoft Azure.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability
Performance
efficiency

As part of the lifecycle of your AKS clusters, you will often need to upgrade to the latest version of Kubernetes. By upgrading your Azure Kubernetes Service (AKS) clusters, you will regularly introduce new software features, security patches, performance improvements and better compatibility with different applications and/or services.


Audit

To determine if your AKS clusters are using the latest available version of Kubernetes, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Kubernetes Service to show the AKS clusters launched within the selected subscription.

05 Click on the name of the AKS cluster that you want to examine.

06 In the navigation panel, under Settings, select Upgrade, then check the version of the Kubernetes software installed on the cluster. If the following message is not displayed within the Kubernetes version section: This cluster is using the latest available version of Kubernetes, the selected Azure Kubernetes Service (AKS) cluster is not using the latest available version of Kubernetes platform.

07 Repeat steps no. 4 – 6 for each AKS cluster provisioned in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run aks list command (Windows/macOS/Linux) using custom query filters to list the name and the resource group of each AKS cluster launched in the current Azure subscription:

az aks list
	--query '[*].{"Name":name,"ResourceGroup":resourceGroup}'

02 The command output should return the requested AKS cluster information:

[
  {
    "Name": "cc-prod-k8-cluster",
    "ResourceGroup": "cloud-shell-storage-westeurope"
  },
  {
    "Name": "cc-development-cluster",
    "ResourceGroup": "cloud-shell-storage-westeurope"
  }
]

03 Run aks get-upgrades command (Windows/macOS/Linux) to describe the version of the Kubernetes software installed on the cluster nodes and the latest Kubernetes version(s) available for upgrade:

az aks get-upgrades
	--name cc-prod-k8-cluster
	--resource-group cloud-shell-storage-westeurope
	--output table

04 The command output should return a table with the requested Kubernetes details:

Name     ResourceGroup                   MasterVersion    NodePoolVersion  Upgrades
-------  ------------------------------  ---------------  ---------------  ---------------
default  cloud-shell-storage-westeurope  1.15.7           1.15.7           1.15.10, 1.16.7

The version(s) listed in the Upgrades column represents the latest available version of Kubernetes software that can be installed on the AKS cluster. If the version listed for the MasterVersion and/or NodePoolVersion is different than the newest one available within the Upgrades column, the selected Azure Kubernetes Service (AKS) cluster is not using the latest available version of Kubernetes platform.

05 Repeat step no. 3 and 4 for each AKS cluster deployed within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To upgrade your Azure Kubernetes Service (AKS) clusters to the latest available version of Kubernetes software, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Kubernetes Service to display the AKS clusters launched within the selected subscription.

05 Click on the name of the AKS cluster that you want to upgrade.

06 In the navigation panel, under Settings, select Upgrade, then choose the latest version of the Kubernetes software, available in the Kubernetes version dropdown list. Click Save to apply the configuration changes and start the upgrade process. Upgrading your AKS cluster may take up to 10 minutes per node.

07 Repeat step no. 5 and 6 for each AKS cluster provisioned in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run aks upgrade command (Windows/macOS/Linux) to upgrade the selected AKS cluster to the latest version of the Kubernetes software (in this vase version 1.16.7). The upgrade will roll out safely in stages so your container applications can continue to run while the upgrade is in progress. Upgrading your cluster may take up to 10 minutes per node:

az aks upgrade
	--name cc-prod-k8-cluster
	--resource-group cloud-shell-storage-westeurope
	--kubernetes-version 1.16.7

02 The aks upgrade command request should ask for your confirmation. Press y to confirm:

Kubernetes may be unavailable during cluster upgrades.
Are you sure you want to perform this operation? (y/n):

03 Once the upgrade process is completed, the command output should return the reconfigured cluster metadata:

{
  "aadProfile": null,
  "agentPoolProfiles": [
    {
      "availabilityZones": null,
      "count": 2,
      "enableAutoScaling": null,
      "enableNodePublicIp": null,
      "maxCount": null,
      "maxPods": 110,
      "minCount": null,
      "name": "agentpool",
      "nodeLabels": null,
      "nodeTaints": null,
      "orchestratorVersion": "1.16.7",
      "osDiskSizeGb": 100,
      "osType": "Linux",
      "provisioningState": "Succeeded",
      "scaleSetEvictionPolicy": null,
      "scaleSetPriority": null,
      "tags": null,
      "type": "AvailabilitySet"
    }
  ],

  ...

  "dnsPrefix": "cc-prod-k8-cluster-dns",
  "enablePodSecurityPolicy": null,
  "enableRbac": true,
  "identity": null,
  "identityProfile": null,
  "kubernetesVersion": "1.16.7",
  "linuxProfile": null,
  "location": "westeurope",
  "maxAgentPools": 1,
  "name": "cc-prod-k8-cluster",
  "nodeResourceGroup": "MC_cloud-shell-storage-westeurope_cc-prod-k8-cluster_westeurope",
  "privateFqdn": null,
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "type": "Microsoft.ContainerService/ManagedClusters",
  "windowsProfile": null
}

04 Repeat steps no. 1 – 3 for each AKS cluster deployed within the current subscription.

04 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Mar 27, 2020