A common customer question is how to view host vulnerabilities in the Asset Inventory for each Cloud Service Provider. In this article, we will focus on Azure, following up with articles for GCP and AWS.
Kubernetes is a popular container orchestration tool. Most Cloud Service Providers have a managed offering. Azure has AKS, Google offers GKE, AWS has EKS and Red Hat offers RedHat openshift. The container workloads for all of these managed offerings run on host machines and those machines can contain vulnerabilities.
The Prisma Cloud Command Center dashboard is the first high level dashboard that provides visibility into Vulnerabilities, and its purpose is to identify top issues by severity for hosts and images. In order to filter based on a host name, severity or how many resources it will display, it is recommended to explore the asset inventory.
Figure 1: Command Center Main Dashboard_PaloAltoNetworks
Figure 2: Command Center Top Vulnerable Hosts Dashboard_PaloAltoNetworks
The updated Asset Inventory can now allow you to view host vulnerabilities that previously required you to view from the Compute module. At a later point in the article, we will cover how to view vulnerabilities in your Azure kubernetes worker nodes directly from the Asset Inventory and Asset explorer page.
The host vulnerabilities in question will exist on the kubernetes service worker nodes. To view the worker nodes with vulnerabilities, we need to first identify the names they are assigned in Azure. The Azure kubernetes service creates a resource group during cluster creation that begins with “MC_” . Normally it will contain the syntax of the resource group used and the cluster name. The worker nodes, NSG’s, Disks, Route Tables and all of the other resources required to run the cluster are placed in this MC_ resource group.
The below steps will show you how to locate the worker nodes names using the Azure GUI and CLI.
Note: If you already have the worker node names you can skip to step 4.
If you have access to the aks cluster and the .kube/config, the CLI is the fastest way to capture the worker node names.
The detected vulnerabilities will not show up under the Azure Kubernetes service in the Prisma Cloud Asset Inventory dashboard, or after selecting the service to view multiple clusters. The below screenshot shows the Azure kubernetes service in the Asset Inventory view. We notice how under the vulnerabilities column nothing is reported under vulnerabilities. This is because the vulnerabilities will report under the actual worker nodes, not the AKS service.
Figure 4: We need to first locate the k8s node pool names that were assigned in Azure_PaloAltoNetworks
Log into the Azure portal - from the search bar at the top, type KUBERNETES SERVICES. Select the purple kubernetes services icon on the left:
Figure 4: kubernetes services_PaloAltoNetworks
Select the name of your k8s cluster from the list displayed, there may be several, select by clicking the one of interest to you:
Figure 5: myAKSClusters_PaloAltoNetworks
The next page displays the overview, resources, settings and monitoring parameters for the selected cluster. Under settings, click Node Pools:
Figure 6: Settings > Node pools _PaloAltoNetworks
The next page will display the Node pool name as well as node count and state. Click on the tab to the right of node pools named Nodes.
This tab will list out the full name of the virtual machine scale set node name.
We need to capture the node names like the example A listed below.
Figure 7: Nodes_PaloAltoNetworks
The first 3 names and numbers between the hyphens suffice to locate the resources in Prisma Cloud. (aks-nodepool1-17089374)
The below steps are how to locate the k8s node names from the Azure Cloud Shell or CLI.
Log into the Azure Portal, to the right of the search bar click on the cloud shell icon.
Figure 8: Azure Portal_PaloAltoNetworks
Authenticate to your cluster and type kubectl get nodes
Figure 9: CLI _PaloAltoNetworks
Collect the node name from the output.
Now that you have the node names, we need to log into Prisma Cloud. Once you have logged in, please go to Inventory and select the Assets.
Figure 10: Inventory > Assets_palo-alto-networks
From the Inventory Assets Page, add a filter as shown below
Date: Most Recent
Cloud Type: Azure
Service Name: Azure Compute
Asset Type: Azure Virtual Machine
Figure 11: Assets - Inventory Filtered_PaloAltoNetworks
The filtered results will be displayed at the bottom of the page. Click on the total number of assets listed for Azure Compute.
Figure 12: Service Name > Azure Compute > Total_PaloAltoNetworks
This will take you to the Asset Explorer page and the below filters will be applied.
Service Name = Azure Compute
Cloud Type = Azure
Date = Most Recent
Resource Type = Azure Virtual Machine
Figure 13: Asset Explorer_PaloAltoNetworks
The applied filter will display the results of all of the virtual machines running in the Azure subscription or tenant. This page also provides visibility into the alerts and vulnerabilities we are looking for on the AKS worker nodes.
Figure 14: Asset Explorer Details_PaloAltoNetworks
To locate the worker nodes we identified in the earlier steps from this list, we need to filter by the node names we collected from using the GUI or CLI method.
Type in the node name in the search bar to the far right, and click the search button.
Note: You only need to search by a subset of the nodes name. IE (aks-nodepool1-25461263-vmss)
Figure 15: Search bar_PaloAltoNetworks
The Asset Explorer will now display the worker nodes in your AKS cluster as well as all of the alerts, severities and vulnerabilities.
Figure 16: Asset Explorer_PaloAltoNetworks
The details in the Asset Explorer page expand on the visibility you get from Compute\Monitor\Vulnerability\Hosts by providing additional information about tags, related items and the worker nodes audit trail.
You can download this high level view by clicking the download link for a csv file to be shared and reviewed.
Figure 17: Download csv_PaloAltoNetworks
Figure 18: CSV file_PaloAltoNetworks
Clicking on any of the vulnerabilities will display a sidecar page found will display the Type, CVE name and Risk factor.
Figure 19: Vulnerabilities _PaloAltoNetworks
Placing the cursor over the Risk factor will display the attack complexity, attack vector and severity details.
Figure 20: Risk Factor_PaloAltoNetworks
Downloading this report will create an external findings csv file that contains all of the vulnerabilities for the selected host. This report can be given to a team to remediate from the Asset Explorer dashboard in Prisma Cloud.
Figure 21: CSV output_PaloAltoNetworks
In summary, this article guides you through the steps to view host vulnerabilities in your Azure Kubernetes worker nodes directly from the Asset Inventory and Asset explorer page. Also included the process to locate the node names for a given AKS cluster using the Azure Portal and the CLI. Once we identified the names, we used filters in the Asset Inventory page to view vulnerability data that normally is displayed in Compute. Using the Asset Explorer is another way to obtain visibility into your environment and review the audit trail.
Prisma Cloud Dashboards -- Asset Inventory
Mark Davis is a Customer Success Engineer on the Prisma Cloud team, specializing in solving enterprise customer questions by empowering the customers with knowledge and guidance in protecting cloud resources and workloads.
