feat(azure): Azure new checks related with AKS #3476

puchy22 · 2024-03-01T14:09:06Z

Context

Add new checks for Azure that are related with AKS.

Description

Add this checks with his respective unit tests:

defender_container_images_scan_enabled
defender_container_images_resolved_vulnerabilities
aks_clusters_public_access_disabled
aks_clusters_created_with_private_nodes
aks_network_policy_enabled
aks_rbac_enabled

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

codecov · 2024-03-01T14:20:14Z

Codecov Report

Attention: Patch coverage is 94.59459% with 8 lines in your changes are missing coverage. Please review.

Project coverage is 85.93%. Comparing base (3eeca73) to head (d4267e7).
Report is 2 commits behind head on master.

Files	Patch %	Lines
...rowler/providers/azure/services/aks/aks_service.py	74.19%	8 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3476      +/-   ##
==========================================
+ Coverage   85.83%   85.93%   +0.10%     
==========================================
  Files         662      670       +8     
  Lines       20643    20790     +147     
==========================================
+ Hits        17719    17866     +147     
  Misses       2924     2924

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

check that ensure clusters created with private nodes

for check to ensure public access is disabled

for check to ensure if a network policy is enabled

for check to ensure if rbac is enabled in the cluster

…lved

sergargar · 2024-03-04T11:07:14Z

poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.7.0 and should not be changed by hand.


Suggested change

# This file is automatically @generated by Poetry 1.7.0 and should not be changed by hand.

# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand.

sergargar · 2024-03-04T11:08:05Z

prowler/providers/azure/services/aks/aks_client.py

+from prowler.providers.azure.lib.audit_info.audit_info import azure_audit_info
+from prowler.providers.azure.services.aks.aks_service import Aks
+
+aks_client = Aks(azure_audit_info)


Suggested change

aks_client = Aks(azure_audit_info)

aks_client = AKS(azure_audit_info)

sergargar · 2024-03-04T11:14:29Z

prowler/providers/azure/services/aks/aks_network_policy_enabled/aks_network_policy_enabled.py

+                report.subscription = subscription_name
+                report.resource_name = cluster.name
+                report.resource_id = cluster_id
+                report.status_extended = f"Network policy enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."


Suggested change

report.status_extended = f"Network policy enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."

report.status_extended = f"Network policy is enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."

Can you add the Network Policy name here, please?

sergargar · 2024-03-04T11:14:38Z

prowler/providers/azure/services/aks/aks_network_policy_enabled/aks_network_policy_enabled.py

+
+                if not getattr(cluster, "network_policy", False):
+                    report.status = "FAIL"
+                    report.status_extended = f"Network policy not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."


Suggested change

report.status_extended = f"Network policy not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."

report.status_extended = f"Network policy is not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."

sergargar · 2024-03-04T11:15:42Z

prowler/providers/azure/services/aks/aks_rbac_enabled/aks_rbac_enabled.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "aks_rbac_enabled",


Suggested change

"CheckID": "aks_rbac_enabled",

"CheckID": "aks_cluster_rbac_enabled",

sergargar · 2024-03-04T11:16:07Z

prowler/providers/azure/services/aks/aks_rbac_enabled/aks_rbac_enabled.metadata.json

+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AKS/enable-role-based-access-control-for-kubernetes-service.html#",
+      "Terraform": ""


Suggested change

"Terraform": ""

"Terraform": "https://docs.bridgecrew.io/docs/bc_azr_kubernetes_2#terraform"

sergargar · 2024-03-04T11:16:25Z

...iders/azure/services/aks/aks_network_policy_enabled/aks_network_policy_enabled.metadata.json

+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""


Suggested change

"Terraform": ""

"Terraform": "https://docs.bridgecrew.io/docs/bc_azr_kubernetes_4#terraform"

sergargar · 2024-03-04T11:16:49Z

prowler/providers/azure/services/aks/aks_rbac_enabled/aks_rbac_enabled.py

+                report.subscription = subscription_name
+                report.resource_name = cluster.name
+                report.resource_id = cluster_id
+                report.status_extended = f"RBAC enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."


Suggested change

report.status_extended = f"RBAC enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."

report.status_extended = f"RBAC is enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."

sergargar · 2024-03-04T11:17:01Z

prowler/providers/azure/services/aks/aks_rbac_enabled/aks_rbac_enabled.py

+
+                if not cluster.rbac_enabled:
+                    report.status = "FAIL"
+                    report.status_extended = f"RBAC not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."


Suggested change

report.status_extended = f"RBAC not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."

report.status_extended = f"RBAC is not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."

sergargar · 2024-03-04T11:18:02Z

prowler/providers/azure/services/aks/aks_service.py

+                clusters.update({subscription_name: {}})
+
+                for cluster in clusters_list:
+                    if getattr(cluster, "kubernetes_version", ""):


Suggested change

if getattr(cluster, "kubernetes_version", ""):

if getattr(cluster, "kubernetes_version", None):

sergargar · 2024-03-04T11:45:51Z

..._container_images_vulnerabilities_scaned/defender_container_images_vulnerabilities_scaned.py

+                    != "Unhealthy"
+                ):
+                    report.status = "PASS"
+                    report.status_extended = f"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) is enabled in subscription '{subscription_name}'."


Suggested change

report.status_extended = f"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) is enabled in subscription '{subscription_name}'."

report.status_extended = f"Azure running container images do not have unresolved vulnerabilities in subscription '{subscription_name}'."

sergargar · 2024-03-04T11:47:37Z

...images_vulnerabilities_scaned/defender_container_images_vulnerabilities_scaned.metadata.json

This metadata is for the new check defender_container_images_scan_enabled

sergargar · 2024-03-05T11:19:51Z

...es/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled.py

+                if not pricings["Containers"].extensions[
+                    "ContainerRegistriesVulnerabilityAssessments"
+                ]:


Suggested change

if not pricings["Containers"].extensions[

"ContainerRegistriesVulnerabilityAssessments"

]:

if not pricings["Containers"].extensions.get(

"ContainerRegistriesVulnerabilityAssessments"

):

sergargar · 2024-03-05T11:20:00Z

...es/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled.py

+                "Containers" in pricings
+                and "ContainerRegistriesVulnerabilityAssessments"
+                in pricings["Containers"].extensions


Suggested change

"Containers" in pricings

and "ContainerRegistriesVulnerabilityAssessments"

in pricings["Containers"].extensions

"Containers" in pricings

sergargar · 2024-03-05T11:24:00Z

...es_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities.metadata.json

Please, review it carefully.

now the description and risk fit better with the check

sergargar

Awesome job!! 🚀

puchy22 added 5 commits March 1, 2024 15:00

build(deps): Add new package to manage AKS

718f3c9

feat(azure): Add new service to manage AKS

6d3c741

feat(aks): New check related to deny public access

76467e8

feat(aks): New check that ensure cluster have no public nodes

285afcb

feat(aks): New check that ensure network policy is enabled

bda2ad4

github-actions bot added the provider/azure Issues/PRs related with the Azure provider label Mar 1, 2024

puchy22 added 11 commits March 4, 2024 09:45

fix(aks): Manage Network policies to None

21bad84

fix(aks): Add valid metadata to network policy check

b7d2919

feat(aks): New check to ensure RBAC is enabled

01a923a

test(aks): Unit test for AKS service

fb4a41a

test(aks): New unit test

33df0aa

check that ensure clusters created with private nodes

test(aks): New unit tests

e21a5ab

for check to ensure public access is disabled

test(aks): New unit tests

fa7aca2

for check to ensure if a network policy is enabled

test(aks): New unit tests

97fe630

for check to ensure if rbac is enabled in the cluster

feat(aks): New check to ensure current images has vulnerabilites reso…

71d02e7

…lved

fix(defender): Status extended bad

acd0fea

test(defender) Add new tests

b0c51fd

puchy22 marked this pull request as ready for review March 4, 2024 11:06

puchy22 requested a review from a team as a code owner March 4, 2024 11:06

sergargar reviewed Mar 4, 2024

View reviewed changes

puchy22 added 19 commits March 4, 2024 13:04

fix(defender): Fix VM assessments check

12ea230

fix(aks): Change name of AKS service class

47da389

chore(aks): Change status extended

aae92f2

chore(aks): Change status extended

9413a92

chore(aks): Change ensure using RBAC check name

7b66312

feat(aks): Add new terraform links

d802675

chore(aks): Change status extended

f1aed1c

chore(aks): Change None return for aks_version if not found

65dd5c7

chore(aks): Delete unnecesary default value

8b30c63

fix(aks): Change status extended

80bce2d

fix(defender): Change name, metadata and logic

18989e6

test(defender): Add new test for not applicable assessments

2fa79c9

feat(defender): Add extensions to pricings plans

cbaae2a

test(defender): Add extensions to pricings

6694fae

feat(defender): Add new test to ensure images for containers are scanned

ed487cc

test(defender): Unit test for check that ensure images are scanned

0358454

fix(defender): Metadata check name changed

fe121c4

Merge branch 'master' into azure-aks-checks

a5f1e31

fix(azure): Fix poetrylock

9516f93

sergargar reviewed Mar 5, 2024

View reviewed changes

...es_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities.metadata.json Outdated

Copy link

Member

sergargar Mar 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, review it carefully.

puchy22 added 3 commits March 5, 2024 13:46

fix(defender): Change metadata information

e647be4

now the description and risk fit better with the check

chore(defender): Change the comprobations of key variable

db9fda4

fix(defender): Fix test case

d4267e7

sergargar approved these changes Mar 5, 2024

View reviewed changes

sergargar merged commit ddd43ba into prowler-cloud:master Mar 5, 2024
11 checks passed

puchy22 deleted the azure-aks-checks branch March 25, 2024 11:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(azure): Azure new checks related with AKS #3476

feat(azure): Azure new checks related with AKS #3476

puchy22 commented Mar 1, 2024 •

edited

codecov bot commented Mar 1, 2024 •

edited

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 4, 2024

sergargar Mar 5, 2024

sergargar Mar 5, 2024

sergargar Mar 5, 2024

sergargar left a comment

		@@ -1,4 +1,4 @@
		# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand.
		# This file is automatically @generated by Poetry 1.7.0 and should not be changed by hand.

	aks_client = Aks(azure_audit_info)
	aks_client = AKS(azure_audit_info)

	report.status_extended = f"Network policy enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."
	report.status_extended = f"Network policy is enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."

	"CheckID": "aks_rbac_enabled",
	"CheckID": "aks_cluster_rbac_enabled",

	"Terraform": ""
	"Terraform": "https://docs.bridgecrew.io/docs/bc_azr_kubernetes_2#terraform"

	report.status_extended = f"RBAC enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."
	report.status_extended = f"RBAC is enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."

	report.status_extended = f"RBAC not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."
	report.status_extended = f"RBAC is not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'."

	if getattr(cluster, "kubernetes_version", ""):
	if getattr(cluster, "kubernetes_version", None):

	report.status_extended = f"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) is enabled in subscription '{subscription_name}'."
	report.status_extended = f"Azure running container images do not have unresolved vulnerabilities in subscription '{subscription_name}'."

feat(azure): Azure new checks related with AKS #3476

feat(azure): Azure new checks related with AKS #3476

Conversation

puchy22 commented Mar 1, 2024 • edited

Context

Description

License

codecov bot commented Mar 1, 2024 • edited

Codecov Report

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

sergargar left a comment

Choose a reason for hiding this comment

puchy22 commented Mar 1, 2024 •

edited

codecov bot commented Mar 1, 2024 •

edited