By Mark Davis, Customer Success Engineer
Introduction
A common customer question is how to view host vulnerabilities in the Asset Inventory for each Cloud Service Provider. In this article, we will focus on Azure, following up with articles for GCP and AWS.
Kubernetes is a popular container orchestration tool. Most Cloud Service Providers have a managed offering. Azure has AKS, Google offers GKE, AWS has EKS and Red Hat offers RedHat openshift. The container workloads for all of these managed offerings run on host machines and those machines can contain vulnerabilities.
The Prisma Cloud Command Center dashboard is the first high level dashboard that provides visibility into Vulnerabilities, and its purpose is to identify top issues by severity for hosts and images. In order to filter based on a host name, severity or how many resources it will display, it is recommended to explore the asset inventory.
Figure 1 - Command Center Main Dashboard
Figure 2 - Command Center Top Vulnerable Hosts Dashboard
The updated Asset Inventory can now allow you to view host vulnerabilities that previously required you to view from the Compute module. At a later point in the article, we will cover how to view vulnerabilities in your Azure kubernetes worker nodes directly from the Asset Inventory and Asset explorer page.
The host vulnerabilities in question will exist on the kubernetes service worker nodes. To view the worker nodes with vulnerabilities, we need to first identify the names they are assigned in Azure. The Azure kubernetes service creates a resource group during cluster creation that begins with “mc_” . Normally it will contain the syntax of the resource group used and the cluster name. The worker nodes and all of the other resources required to run the cluster are placed in this mc_ resource group.
The below steps will show you how to locate the worker nodes names using the Azure GUI and CLI.
Note: If you already have the worker node names you can skip to step 4.
If you have access to the aks cluster and the .kube/config, the CLI is the fastest way to capture the worker node names.
How to Find the Resource Names in Azure Kubernetes Nodes GUI method
The detected vulnerabilities will not show up under the Azure Kubernetes service in the Prisma Cloud Asset Inventory dashboard, or after selecting the service to view multiple clusters. The below screenshot shows the Azure kubernetes service in the Asset Inventory view. We notice how under the vulnerabilities column nothing is reported under vulnerabilities. This is because the vulnerabilities will report under the actual worker nodes.
Figure 3
We need to first locate the k8s node pool names that were assigned in Azure.
Step 1.
Log into the Azure portal - from the search bar at the top, type KUBERNETES SERVICES. Select the purple kubernetes services icon on the left:
Figure 4
Step 2.
Select the name of your k8s cluster from the list displayed, there may be several, so select the one of interest to you:
Figure 5
Step 3.
The next page displays the overview, resources, settings and monitoring parameters for the selected cluster. Under settings, click Node Pools:
Figure 6: Settings > Node pools
Step 4.
The next page will display the Node pool name as well as node count and state. Click on the tab to the right of node pools named Nodes.
This tab will list out the full name of the virtual machine scale set node name.
We need to capture the node names like the example A listed below.
Example A - aks-nodepool1-31658136
Figure 7 - Nodes
The first 3 names and numbers between the hyphens suffice to locate the resources in Prisma Cloud.
How to Find the Resource Names in Azure Kubernetes Nodes CLI method
The below steps are how to locate the k8s node names from the Azure Cloud Shell or CLI.
Step 5.
Log into the Azure Portal, to the right of the search bar click on the cloud shell icon.
Figure 8 - Azure Portal
Step 6.
Authenticate to your cluster and type kubectl get nodes
Figure 9: CLI
Step 7.
Collect the node name from the output.
Step 8.
Now that you have the node names, we need to log into Prisma Cloud. Once you have logged in, please go to Inventory and select the Assets.
Figure 10: Inventory > Assets
From the Assets inventory Page, continue to filter by Resource Type = Azure Virtual Machine
Figure 11 - Asset Inventory > Resource Type
The filtered results will be displayed at the bottom of the page. Click on the total number of assets listed for Azure Compute.
Figure 12: Service Name > Azure Compute > Total
This will take you to the Asset Explorer page and the below filters will be applied.
Service Name = Azure Compute
Cloud Type = Azure
Date = Most Recent
Resource Type = Azure Virtual Machine
Figure 13: Asset Explorer
The applied filter will display the results of all of the virtual machines running in the Azure subscription or tenant. This page also provides visibility into the alerts and vulnerabilities we are looking for on the AKS worker nodes.
Figure 14: Asset Explorer Details
To locate the worker nodes we identified in the earlier steps from this list, we need to filter by the node names we collected from using the GUI or CLI method.
Type in the node name in the search bar to the far right
Figure 15: Search bar
The Asset Explorer will now display the worker nodes in your AKS cluster as well as all of the alerts, severities and vulnerabilities.
Figure 16: Asset Explorer
How is this information helpful?
The details in the Asset Explorer page expand on the visibility you get from Compute\Monitor\Vulnerability\Hosts by providing additional information about tags, related items and the worker nodes audit trail.
What’s Next on the Asset Explorer page?
You can download this high level view by clicking the download link for a csv file to be shared and reviewed.
Figure 17: Download csv
Figure 18: CSV file
Clicking on any of the vulnerabilities found will display the Type, CVE name and Risk factor.
Figure 19 - Vulnerabilities
Placing the cursor over the Risk factor will display the attack complexity, attack vector and severity details.
Figure 20 - Risk Factor
Downloading this report will create an external findings csv file that contains all of the vulnerabilities for the selected host. This report can be given to a team to remediate from the Asset Explorer dashboard in Prisma Cloud.
Figure 21: CSV output
Conclusion
In summary, this article guides you through the steps to view host vulnerabilities in your Azure kubernetes worker nodes directly from the Asset Inventory and Asset explorer page. Also included the process to locate the node names for a given AKS cluster using the Azure Portal and the CLI. Once we identified the names, we used filters in the Asset Inventory page to view vulnerability data that normally is displayed in Compute. Using the Asset Explorer is another way to obtain visibility into your environment and review the audit trail.
References:
Prisma Cloud Dashboards -- Asset Inventory
About the Author:
Mark Davis is a Customer Success Engineer on the Prisma Cloud team, specializing in solving enterprise customer questions by empowering the customers with knowledge and guidance in protecting cloud resources and workloads.
