Securing Applications in AKS

Azure Compute Solutions

Florin Angelescu

Azure Cloud Architect

Why security matters

 

Kubernetes

 

 

  • Critical in any production environment.
  • Containers and Kubernetes introduce new layers of complexity.
  • Workloads can be exposed to risks.
Azure Compute Solutions

Why security matters

 

Kubernetes

 

  • AKS integrates with Azure's security ecosystem to protect:

    • Applications
    • Data
    • Users

  • Strong security practices:

    • Build trust with customers and stakeholders
    • Proving that workloads are resilient and well-managed
Azure Compute Solutions

Role-Based Access Control (RBAC)

Kubernetes

  • Control who can perform actions in the cluster.
Azure Compute Solutions

Role-Based Access Control (RBAC)

Kubernetes

  • Control who can perform actions in the cluster.

  • Integrates with Entra ID:

    • Assign roles to users or groups

  • Only authorized individuals can deploy, scale, or modify workloads.

Azure Compute Solutions

Role-Based Access Control (RBAC)

Kubernetes

  • Developers have permissions to deploy apps.
  • Operators manage scaling and monitoring.
  • Granular role assignments reduce the risk of accidental or malicious changes.
Azure Compute Solutions

Secrets management

 

Secrets

 

  • Applications require sensitive information:

    • Passwords
    • API keys
    • Certificates

  • Kubernetes stores these as secrets.

  • Can be mounted into pods securely.
Azure Compute Solutions

Secrets management

 

Key Vault

 

  • Secrets can integrate with Azure Key Vault:
    • Centralized management and encryption
  • Sensitive data is never hard-coded into images or manifests.
  • Reduces the risk of leaks.
  • Rotate secrets regularly.
Azure Compute Solutions

Network security

 

Networking

 

  • AKS clusters run inside Azure Virtual Networks:
    • Network security groups
    • Firewalls
Azure Compute Solutions

Network security

 

Networking

 

  • AKS clusters run inside Azure Virtual Networks:

    • Network security groups
    • Firewalls

  • Restrict traffic between pods.

  • Enforce policies.
  • Isolate workloads.
Azure Compute Solutions

Network security

 

Networking

 

  • Ingress controllers:
    • Configured with TLS certificates
    • Secure external traffic
Azure Compute Solutions

Network security

 

Networking

 

  • Ingress controllers:

    • Configured with TLS certificates
    • Secure external traffic

  • Network policies:

    • Define which pods can communicate
    • Reduce the attack surface
Azure Compute Solutions

Image security

 

Image

 

  • Container images:

    • Foundation of workloads
    • Must be trusted

  • Azure Container Registry:

    • Supports image scanning
    • Detect vulnerabilities before deployment
Azure Compute Solutions

Image security

 

Image

 

 

Policies

  • Only signed or approved images are allowed in the cluster.
Azure Compute Solutions

Image security

 

Image

  • Update base images and apply patches:

    • Keep workloads secure

  • Validating images:

    • Prevent compromised software from entering production
Azure Compute Solutions

Monitoring and compliance

 

Image

  • Continuous monitoring is essential to detect threats.

Azure Defender for Kubernetes

  • Runtime protection.

  • Detecting suspicious activity:

    • Privilege escalation
    • Abnormal network traffic

  • Compliance tools:

    • Clusters meet organizational or regulatory standards
Azure Compute Solutions

Recap

 

Kubernetes

 

Securing applications in AKS:

  • Role-Based Access Control
  • Secrets management
  • Network controls
  • Image validation
  • Continuous monitoring
Azure Compute Solutions

Let's practice!

Azure Compute Solutions

Preparing Video For Download...