Azure AKS cluster Azure CNI networking not enabled
Description
This policy is checking to ensure that an Azure Kubernetes Service (AKS) cluster has Azure Container Network Interface (CNI) networking enabled. If not enabled, it presents a security risk. Azure CNI is a networking interface for connecting containers managed by Kubernetes. It allows them to have an IP address that is safe and secure from the Azure network, allowing the pods to directly access services over the Azure Virtual Network infrastructure. This reduces the risk of network intrusion and simplifies the network management within the cluster, thereby improving overall security.
Code Example
resource "azurerm_kubernetes_cluster" "aks_example" {
// other configuration
network_profile {
network_plugin = "azure"
// other configuration
}
}Remediation
Terraform
- Resource: azurerm_kubernetes_cluster
- Arguments: network_profile.network_plugin
To fix this issue, you need to specify `azure` as the value of `network_plugin` in the `network_profile` block under `azurerm_kubernetes_cluster` resource.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0786 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_29 |