How to view host vulnerabilities in your Azure Kubernetes service clusters.

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

By Mark Davis, Customer Success Engineer



A common customer question is how to view host vulnerabilities in the Asset Inventory for each Cloud Service Provider. In this article, we will focus on Azure, following up with articles for GCP and AWS.  


Kubernetes is a popular container orchestration tool.  Most Cloud Service Providers have a managed offering.  Azure has AKS, Google offers GKE, AWS has EKS and Red Hat offers RedHat openshift.   The container workloads for all of these managed offerings run on host machines and those machines can contain vulnerabilities.

The Prisma Cloud Command Center dashboard is the first high level dashboard that provides visibility into Vulnerabilities, and its purpose is to identify top issues by severity for hosts and images.  In order to filter based on a host name, severity or how many resources it will display, it is recommended to explore the asset inventory.


Figure 1 - Command Center Main Dashboard .jpg

Figure 1 - Command Center Main Dashboard 


Figure 2 - Command Center Top Vulnerable Hosts Dashboard.jpg

Figure 2 - Command Center Top Vulnerable Hosts Dashboard 


The updated Asset Inventory can now allow you to view host vulnerabilities that previously required you to view from the Compute module.  At a later point in the article, we will cover how to view vulnerabilities in your Azure kubernetes worker nodes directly from the Asset Inventory and Asset explorer page.


The host vulnerabilities in question will exist on the kubernetes service worker nodes.  To view the worker nodes with vulnerabilities, we need to first identify the names they are assigned in Azure.  The Azure kubernetes service creates a resource group during cluster creation that begins with “mc_” . Normally it will contain the syntax of the resource group used and the cluster name.  The worker nodes and all of the other resources required to run the cluster are placed in this mc_ resource group.  


The below steps will show you how to locate the worker nodes names using the Azure GUI and CLI.

Note: If you already have the worker node names you can skip to step 4.

If you have access to the aks cluster and the .kube/config, the CLI is the fastest way to capture the worker node names.

How to Find the Resource Names in Azure Kubernetes Nodes GUI method

The detected vulnerabilities will not show up under the Azure Kubernetes service in the Prisma Cloud Asset Inventory dashboard, or after selecting the service to view multiple clusters.  The below screenshot shows the Azure kubernetes service in the Asset Inventory view. We notice how under the vulnerabilities column nothing is reported under vulnerabilities.  This is because the vulnerabilities will report under the actual worker nodes.

Figure 3.jpg

Figure 3


We need to first locate the k8s node pool names that were assigned in Azure.


Step 1. 

Log into the Azure portal - from the search bar at the top, type KUBERNETES SERVICES. Select the purple kubernetes services icon on the left: 


Figure 4.jpg

Figure 4


Step 2.

Select the name of your k8s cluster from the list displayed, there may be several, so select the one of interest to you:


Figure 5.jpg

Figure 5


Step 3.

The next page displays the overview, resources, settings and monitoring parameters for the selected cluster.  Under settings, click Node Pools:


Figure 6.jpg

Figure 6: Settings > Node pools 


Step 4.

The next page will display the Node pool name as well as node count and state.  Click on the tab to the right of node pools named Nodes.

This tab will list out the full name of the virtual machine scale set node name.

We need to capture the node names like the example A listed below.


Example A - aks-nodepool1-31658136


Figure 7.jpg

Figure 7  - Nodes 


The first 3 names and numbers between the hyphens suffice to locate the resources in Prisma Cloud. 

How to Find the Resource Names in Azure Kubernetes Nodes CLI method

The below steps are how to locate the k8s node names from the Azure Cloud Shell or CLI. 


Step 5.

Log into the Azure Portal, to the right of the search bar click on the cloud shell icon.

Figure 8.jpg

Figure 8 - Azure Portal 


Step 6.

Authenticate to your cluster and type kubectl get nodes



Figure 9.jpg

Figure 9: CLI 


Step 7.

Collect the node name from the output.


Step 8.

Now that you have the node names, we need to log into Prisma Cloud. Once you have logged in, please go to Inventory and select the Assets.


Figure 10.jpg

Figure 10: Inventory > Assets 


From the Assets inventory Page, continue to filter by Resource Type = Azure Virtual Machine



Figure 11.jpg

Figure 11 - Asset Inventory > Resource Type 


The filtered results will be displayed at the bottom of the page.  Click on the total number of assets listed for Azure Compute.


Figure 12.jpg

Figure 12: Service Name > Azure Compute > Total 


This will take you to the Asset Explorer page and the below filters will be applied.


Service Name = Azure Compute

Cloud Type = Azure

Date = Most Recent

Resource Type = Azure Virtual Machine


Figure 13.jpg

Figure 13: Asset Explorer 


The applied filter will display the results of all of the virtual machines running in the Azure subscription or tenant.  This page also provides visibility into the alerts and vulnerabilities we are looking for on the AKS worker nodes.


Figure 14.jpg

Figure 14: Asset Explorer Details 


To locate the worker nodes we identified in the earlier steps from this list, we need to filter by the node names we collected from using the GUI or CLI method.


Type in the node name in the search bar to the far right

Figure 15.jpg

Figure 15: Search bar 


The Asset Explorer will now display the worker nodes in your AKS cluster as well as all of the alerts, severities and vulnerabilities.


Figure 16.jpg

Figure 16: Asset Explorer 


How is this information helpful?


The details in the Asset Explorer page expand on the visibility you get from Compute\Monitor\Vulnerability\Hosts by providing additional information about tags, related items and the worker nodes audit trail.

What’s Next on the Asset Explorer page?


You can download this high level view by clicking the download link for a csv file to be shared and reviewed.

Figure 17.jpg

Figure 17: Download csv 


Figure 18.jpg

Figure 18: CSV file 


Clicking on any of the vulnerabilities found will display the Type, CVE name and Risk factor.


Figure 19.jpg

Figure 19 - Vulnerabilities  


Placing the cursor over the Risk factor will display the attack complexity, attack vector and severity details.


Figure 20.jpg

Figure 20 - Risk Factor 


Downloading this report will create an external findings csv file that contains all of the vulnerabilities for the selected host. This report can be given to a team to remediate from the Asset Explorer dashboard in Prisma Cloud. 


Figure 21.jpg

Figure 21: CSV output 




In summary, this article guides you through the steps to  view host vulnerabilities in your Azure kubernetes worker nodes directly from the Asset Inventory and Asset explorer page. Also included the process to locate the node names for a given AKS cluster using the Azure Portal and the CLI.  Once we identified the names, we used filters in the Asset Inventory page to view vulnerability data that normally is displayed in Compute.  Using the Asset Explorer is another way to obtain visibility into your environment and review the audit trail. 



Prisma Cloud Admin 

Prisma Cloud Dashboards -- Asset Inventory 


About the Author:

Mark Davis is a Customer Success Engineer on the Prisma Cloud team, specializing in solving enterprise customer questions by empowering the customers with knowledge and guidance in protecting cloud resources and workloads. 

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎05-26-2023 10:51 PM
Updated by: