Azure AKS cluster monitoring not enabled
Description
The Azure Monitoring service collects and stores valuable telemetry reported by AKS. This includes memory and processor metrics for controllers, nodes and containers logs, and logs from the individual containers. This data is accessible through Azure Log Analytics for the AKS cluster and Azure Monitor instance. We recommend storing memory and processor metrics from containers, nodes, and controllers. This enables strong real-time and post-mortem analysis of unknown behaviors in AKS clusters.
Code Example
shell
{
"addonProfiles
"addonProfiles": {
"omsagent": {
"config": {
"logAnalyticsWorkspaceResourceID":
"/subscriptions/GUID/resourcegroups/defaultresourcegroup-weu/providers
/microsoft.operationalinsights/workspaces/defaultworkspace-GUID-weu"
},
"enabled": true
}
},
",
}Remediation
- CLI Command*
To enable Azure Monitor for an existing AKS cluster, use the following command:
az aks enable-addons -a monitoring -n rg-weu-my-cluster -g rg-weu-my-cluster-group --workspace-resource-id 4ab81b6f-c07d-d174-ef26-f4344bad14a
Use the default Log Analytics workspace:
az aks enable-addons -a monitoring -n rg-weu-my-cluster -g rg-weu-my-cluster-group
This will take a few moments. When complete, you can verify using the show command:
az aks show -n rg-weu-my-cluster -g rg-weu-my-cluster-group
This provides general AKS information, including the following portion for:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0515 |
| Severity | INFO |
| IaC Type | arm |
| Frameworks | ARM, Terraform, Bicep, TerraformPlan |
| Checkov ID | CKV_AZURE_4 |