Skip to content

AKS clusters use Network Policies#

Security · Azure Kubernetes Service · 2020_06

Deploy AKS clusters with Network Policies enabled.

Description#

AKS clusters provides a platform to host containerized workloads. The running of these applications or services is orchestrated by Kubernetes. Workloads may elasticly scale or change network addressing.

By default, all pods in an AKS cluster can send and receive traffic without limitations. Network Policy defines access policies for limiting network communication of pods. Using Network Policies allows network controls to be applied with the context of the workload.

For improved security, define network policy rules to control the flow of traffic. For example, only permit backend components to receive traffic from frontend components.

To use Network Policy it must be enabled at cluster deployment time. AKS supports two implementations of network policies, Azure Network Policies and Calico Network Policies. Azure Network Policies are supported by Azure support and engineering teams.

Recommendation#

Consider deploying AKS clusters with network policy enabled to extend network segmentation into clusters.

Examples#

Configure with Azure template#

To deploy AKS clusters that pass this rule:

  • Set Properties.networkProfile.networkPolicy to azure or calico.

For example:

Azure Template snippet
{
    "type": "Microsoft.ContainerService/managedClusters",
    "apiVersion": "2021-07-01",
    "name": "[parameters('clusterName')]",
    "location": "[parameters('location')]",
    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]": {}
        }
    },
    "properties": {
        "kubernetesVersion": "[parameters('kubernetesVersion')]",
        "enableRBAC": true,
        "dnsPrefix": "[parameters('dnsPrefix')]",
        "agentPoolProfiles": "[variables('allPools')]",
        "aadProfile": {
            "managed": true,
            "enableAzureRBAC": true,
            "adminGroupObjectIDs": "[parameters('clusterAdmins')]",
            "tenantID": "[subscription().tenantId]"
        },
        "networkProfile": {
            "networkPlugin": "azure",
            "networkPolicy": "azure",
            "loadBalancerSku": "standard",
            "serviceCidr": "[variables('serviceCidr')]",
            "dnsServiceIP": "[variables('dnsServiceIP')]",
            "dockerBridgeCidr": "[variables('dockerBridgeCidr')]"
        },
        "autoUpgradeProfile": {
            "upgradeChannel": "[parameters('upgradeChannel')]"
        },
        "addonProfiles": {
            "httpApplicationRouting": {
                "enabled": false
            },
            "azurepolicy": {
                "enabled": true,
                "config": {
                    "version": "v2"
                }
            },
            "omsagent": {
                "enabled": true,
                "config": {
                    "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
                }
            },
            "kubeDashboard": {
                "enabled": false
            },
            "azureKeyvaultSecretsProvider": {
                "enabled": true,
                "config": {
                    "enableSecretRotation": "[string(parameters('useSecretRotation'))]"
                }
            },
            "openServiceMesh": {
                "enabled": "[parameters('useOpenServiceMesh')]"
            }
        }
    },
    "tags": "[parameters('tags')]",
    "dependsOn": [
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
    ]
}

Configure with Bicep#

To deploy AKS clusters that pass this rule:

  • Set Properties.networkProfile.networkPolicy to azure or calico.

For example:

Azure Bicep snippet
resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {
  location: location
  name: clusterName
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${identity.id}': {}
    }
  }
  properties: {
    kubernetesVersion: kubernetesVersion
    enableRBAC: true
    dnsPrefix: dnsPrefix
    agentPoolProfiles: allPools
    aadProfile: {
      managed: true
      enableAzureRBAC: true
      adminGroupObjectIDs: clusterAdmins
      tenantID: subscription().tenantId
    }
    networkProfile: {
      networkPlugin: 'azure'
      networkPolicy: 'azure'
      loadBalancerSku: 'standard'
      serviceCidr: serviceCidr
      dnsServiceIP: dnsServiceIP
      dockerBridgeCidr: dockerBridgeCidr
    }
    autoUpgradeProfile: {
      upgradeChannel: upgradeChannel
    }
    addonProfiles: {
      httpApplicationRouting: {
        enabled: false
      }
      azurepolicy: {
        enabled: true
        config: {
          version: 'v2'
        }
      }
      omsagent: {
        enabled: true
        config: {
          logAnalyticsWorkspaceResourceID: workspaceId
        }
      }
      kubeDashboard: {
        enabled: false
      }
      azureKeyvaultSecretsProvider: {
        enabled: true
        config: {
          enableSecretRotation: string(useSecretRotation)
        }
      }
      openServiceMesh: {
        enabled: useOpenServiceMesh
      }
    }
  }
  tags: tags
}

Notes#

Network Policy is a deployment time configuration. AKS clusters must be redeployed to enable Network Policy.


Last update: 2022-12-03

Comments