Viewing host vulnerabilities in Azure Kubernetes Service Clusters

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker
No ratings

By Mark Davis, Customer Success Engineer

Introduction 

 

A common customer question is how to view host vulnerabilities in the Asset Inventory for each Cloud Service Provider. In this article, we will focus on Azure, following up with articles for GCP and AWS.  

 

Kubernetes is a popular container orchestration tool.  Most Cloud Service Providers have a managed offering.  Azure has AKS, Google offers GKE, AWS has EKS and Red Hat offers RedHat openshift.   The container workloads for all of these managed offerings run on host machines and those machines can contain vulnerabilities.


The Prisma Cloud Command Center dashboard is the first high level dashboard that provides visibility into Vulnerabilities, and its purpose is to identify top issues by severity for hosts and images.  In order to filter based on a host name, severity or how many resources it will display, it is recommended to explore the asset inventory.


RPrasadi_0-1709243940471.jpeg

Figure 1:  Command Center Main Dashboard_PaloAltoNetworks  

 

RPrasadi_1-1709243941447.jpeg

Figure 2:  Command Center Top Vulnerable Hosts Dashboard_PaloAltoNetworks  

 

The updated Asset Inventory can now allow you to view host vulnerabilities that previously required you to view from the Compute module.  At a later point in the article, we will cover how to view vulnerabilities in your Azure kubernetes worker nodes directly from the Asset Inventory and Asset explorer page.

 

The host vulnerabilities in question will exist on the kubernetes service worker nodes.  To view the worker nodes with vulnerabilities, we need to first identify the names they are assigned in Azure.  The Azure kubernetes service creates a resource group during cluster creation that begins with “MC_” . Normally it will contain the syntax of the resource group used and the cluster name.  The worker nodes, NSG’s, Disks, Route Tables and all of the other resources required to run the cluster are placed in this MC_ resource group.  

 

The below steps will show you how to locate the worker nodes names using the Azure GUI and CLI.

Note: If you already have the worker node names you can skip to step 4.

If you have access to the aks cluster and the .kube/config, the CLI is the fastest way to capture the worker node names.

 

How to Find the Resource Names in Azure Kubernetes Nodes GUI Method


The detected vulnerabilities will not show up under the Azure Kubernetes service in the Prisma Cloud Asset Inventory dashboard, or after selecting the service to view multiple clusters.  The below screenshot shows the Azure kubernetes service in the Asset Inventory view. We notice how under the vulnerabilities column nothing is reported under vulnerabilities.  This is because the vulnerabilities will report under the actual worker nodes, not the AKS service.

 

RPrasadi_2-1709243941316.jpeg

Figure 4:  We need to first locate the k8s node pool names that were assigned in Azure_PaloAltoNetworks 

 

Step 1. 

 

Log into the Azure portal - from the search bar at the top, type KUBERNETES SERVICES. Select the purple kubernetes services icon on the left: 

 

RPrasadi_3-1709243940459.png

Figure 4:  kubernetes services_PaloAltoNetworks 

 

Step 2.

 

Select the name of your k8s cluster from the list displayed, there may be several,  select by clicking the one of interest to you:

 

RPrasadi_4-1709243940462.jpeg

Figure 5:  myAKSClusters_PaloAltoNetworks 

 

Step 3.

 

The next page displays the overview, resources, settings and monitoring parameters for the selected cluster.  Under settings, click Node Pools:

 

RPrasadi_5-1709243940773.png

Figure 6:  Settings > Node pools _PaloAltoNetworks 

 

Step 4.

 

The next page will display the Node pool name as well as node count and state.  Click on the tab to the right of node pools named Nodes.

This tab will list out the full name of the virtual machine scale set node name.

We need to capture the node names like the example A listed below.

 

Example A - aks-nodepool1-25461263-vmss000000


RPrasadi_6-1709243940771.jpeg

Figure 7:  Nodes_PaloAltoNetworks 

 

The first 3 names and numbers between the hyphens suffice to locate the resources in Prisma Cloud. (aks-nodepool1-17089374)

 

How to Find the Resource Names in Azure Kubernetes Nodes CLI method


The below steps are how to locate the k8s node names from the Azure Cloud Shell or CLI. 

 

Step 5.

 

Log into the Azure Portal, to the right of the search bar click on the cloud shell icon.

 

RPrasadi_7-1709243940596.png

Figure 8:  Azure Portal_PaloAltoNetworks 

 

Step 6.

 

Authenticate to your cluster and type kubectl get nodes

 

RPrasadi_8-1709243940752.jpeg

Figure 9: CLI _PaloAltoNetworks 

 

Step 7.

 

Collect the node name from the output.


Step 8.

 

Now that you have the node names, we need to log into Prisma Cloud. Once you have logged in, please go to Inventory and select the Assets.

 

RPrasadi_9-1709243940846.jpeg

Figure 10: Inventory > Assets_palo-alto-networks   

 

From the Inventory Assets Page, add a filter as shown below

Date: Most Recent

Cloud Type: Azure

Service Name: Azure Compute

Asset Type: Azure Virtual Machine

 

RPrasadi_10-1709243940790.jpeg

Figure 11:  Assets - Inventory Filtered_PaloAltoNetworks  

 

The filtered results will be displayed at the bottom of the page.  Click on the total number of assets listed for Azure Compute.

 

RPrasadi_11-1709243940909.jpeg

Figure 12: Service Name > Azure Compute > Total_PaloAltoNetworks  

 

This will take you to the Asset Explorer page and the below filters will be applied.

 

Service Name = Azure Compute

Cloud Type = Azure

Date = Most Recent

Resource Type = Azure Virtual Machine

RPrasadi_12-1709243941056.jpeg

Figure 13:  Asset Explorer_PaloAltoNetworks   

 

The applied filter will display the results of all of the virtual machines running in the Azure subscription or tenant.  This page also provides visibility into the alerts and vulnerabilities we are looking for on the AKS worker nodes.

RPrasadi_13-1709243941365.jpeg

Figure 14:  Asset Explorer Details_PaloAltoNetworks   

 

To locate the worker nodes we identified in the earlier steps from this list, we need to filter by the node names we collected from using the GUI or CLI method.

 

Type in the node name in the search bar to the far right, and click the search button. 

Note: You only need to search by a subset of the nodes name. IE (aks-nodepool1-25461263-vmss)

 

RPrasadi_14-1709243941407.jpeg

Figure 15: Search bar_PaloAltoNetworks  

 

The Asset Explorer will now display the worker nodes in your AKS cluster as well as all of the alerts, severities and vulnerabilities.

 

Tips:

 

  • If the worker node does not display when you hit search, shorten the name by a few characters and also verify all of the records have been loaded by clicking Load More at the bottom left portion of the page.
  • Click the Hide and Show column button to remove columns that you are not interested in viewing.

 

RPrasadi_15-1709243941396.jpeg

Figure 16:  Asset Explorer_PaloAltoNetworks  

 

How is this information helpful?

 

The details in the Asset Explorer page expand on the visibility you get from Compute\Monitor\Vulnerability\Hosts by providing additional information about tags, related items and the worker nodes audit trail.



What’s Next on the Asset Explorer page?

 

You can download this high level view by clicking the download link for a csv file to be shared and reviewed.

 

RPrasadi_16-1709243941076.jpeg

Figure 17:  Download csv_PaloAltoNetworks  

 

RPrasadi_17-1709243941048.png

Figure 18:  CSV file_PaloAltoNetworks  

 

Clicking on any of the vulnerabilities will display a sidecar page found will display the Type, CVE name and Risk factor.

 

RPrasadi_18-1709243941109.jpeg

Figure 19: Vulnerabilities _PaloAltoNetworks  

 

Placing the cursor over the Risk factor will display the attack complexity, attack vector and severity details.

 

RPrasadi_19-1709243941142.png

Figure 20:  Risk Factor_PaloAltoNetworks  

 

Downloading this report will create an external findings csv file that contains all of the vulnerabilities for the selected host. This report can be given to a team to remediate from the Asset Explorer dashboard in Prisma Cloud. 

 

RPrasadi_20-1709243941214.png

Figure 21:  CSV output_PaloAltoNetworks  

 

Conclusion  

 

In summary, this article guides you through the steps to  view host vulnerabilities in your Azure Kubernetes worker nodes directly from the Asset Inventory and Asset explorer page. Also included the process to locate the node names for a given AKS cluster using the Azure Portal and the CLI.  Once we identified the names, we used filters in the Asset Inventory page to view vulnerability data that normally is displayed in Compute.  Using the Asset Explorer is another way to obtain visibility into your environment and review the audit trail. 

 

References:

Prisma Cloud Admin 

Prisma Cloud Dashboards -- Asset Inventory 

 

About the Author

 

Mark Davis is a Customer Success Engineer on the Prisma Cloud team, specializing in solving enterprise customer questions by empowering the customers with knowledge and guidance in protecting cloud resources and workloads. 

 

 

Rate this article:
  • 2267 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎11-08-2024 12:27 PM
Updated by: