Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable and Configure Node OS Auto-Upgrades

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that node OS auto-upgrades are enabled for Azure Kubernetes Service (AKS) clusters to help prevent vulnerabilities from unpatched OS versions, minimizing the risk of security breaches while maintaining operational stability.

Security

Node OS auto-upgrades in Azure Kubernetes Service (AKS) automatically update the operating system of AKS nodes with security patches and updates. This is crucial for maintaining security, as it ensures nodes receive timely OS-level security patches without manual intervention. These upgrades are separate from Kubernetes version upgrades and can be customized through different channels. When node OS auto-upgrades are not enabled and configured, security updates are not applied automatically to your AKS cluster nodes, meaning you are fully responsible for ensuring they receive necessary updates.


Audit

To determine if node OS auto-upgrades are enabled for your Azure Kubernetes Service (AKS) clusters, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.

05 Click on the name (link) of the AKS cluster that you want to examine.

06 In the resource navigation panel, under Settings, select Cluster configuration to access the configuration settings available for the selected AKS cluster.

07 In the Security updates section, check the security channel type selected from the Node security channel type dropdown list to determine if node OS auto-upgrades are enabled for the selected cluster. If the selected channel is None, node OS auto-upgrades are not enabled for the selected Azure Kubernetes Service (AKS) cluster.

08 Repeat steps no. 5 – 7 for each AKS cluster provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription:

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AKS cluster names:

Name                    ResourceGroup
----------------------  ------------------------------
cc-data-mining-cluster  cloud-shell-storage-westeurope
cc-project5-cluster     cloud-shell-storage-westeurope

06 Run aks show command (Windows/macOS/Linux) with the name of the AKS cluster that you want to examine (and the associated resource group) as identifier parameters, to describe the security channel type configured for node OS auto-upgrades, for the selected AKS cluster:

az aks show
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --query "autoUpgradeProfile.nodeOsUpgradeChannel"

07 The command output should return the security channel type configured for node OS auto-upgrades.

"None"

If the aks show command output returns "None", your AKS cluster nodes don't have security updates applied automatically. Therefore, node OS auto-upgrades are not enabled for the selected Azure Kubernetes Service (AKS) cluster.

08 Repeat steps no. 6 and 7 for each AKS cluster available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure node OS auto-upgrades for Azure Kubernetes Service (AKS) clusters, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.

05 Click on the name (link) of the AKS cluster that you want to configure.

06 In the resource navigation panel, under Settings, select Cluster configuration to access the configuration settings available for the selected AKS cluster.

07 In the Security updates section, perform the following actions:

  1. Select the desired security channel type from the Node security channel type dropdown list to enable node OS auto-upgrades for the selected AKS cluster. You can choose between Unmanaged which applies OS updates automatically through OS built-in patching infrastructure (i.e. OS driven security updates), Security Patch which applies fully-managed OS security patches, either by reimaging nodes or live patching without draining pods, based on necessity, with minimal disruption and maintenance windows honored, or Node Image which updates the nodes with a newly patched VHD containing security fixes and bug fixes on a weekly cadence. For more details, see Security channels for node OS image upgrades.
  2. (Optional) For Security channel scheduler, choose Add schedule to configure the maintenance window settings using the Planned Maintenance feature. Planned Maintenance allows you to run both types of maintenance in a cadence of your choice, thus minimizing any workload impact. Once the maintenance window is configured, choose Save to apply your maintenance and security updates schedule.

08 Choose Apply to apply the configuration changes.

09 Repeat steps no. 5 – 8 for each AKS cluster that you want to configure, available in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks update command (OSX/Linux/UNIX) with the name of the cluster that you want to configure as the identifier parameter, to enable node OS auto-upgrades for the selected Azure AKS cluster, by applying the desired security channel. You can choose between Unmanaged which applies OS updates automatically through OS built-in patching infrastructure, SecurityPatch which applies fully-managed OS security patches, either by reimaging nodes or live patching without draining pods, or NodeImage which updates the nodes with a newly patched VHD containing security fixes and bug fixes on a weekly cadence. The following command example sets the node OS auto-upgrade security channel to NodeImage. NodeImage is AKS-tested, fully managed, and applied with safe deployment practices:

az aks update
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --node-os-upgrade-channel NodeImage

05 The command output should return the configuration information available for the modified AKS cluster:

{
	"aadProfile": {
		"adminGroupObjectIDs": [
			"abcdabcd-1234-abcd-1234-abcdabcdabcd"
		],
		"clientAppId": null,
		"enableAzureRbac": true,
		"managed": true,
		"serverAppId": null,
		"serverAppSecret": null,
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
	},

	...

	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"tags": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"upgradeSettings": null,
	"windowsProfile": null,
	"workloadAutoScalerProfile": {
		"keda": null,
		"verticalPodAutoscaler": null
	}
}

06 Repeat steps no. 4 and 5 for each AKS cluster that you want to configure, available within the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 22, 2024

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable and Configure Node OS Auto-Upgrades

Risk Level: Medium