Viewing host vulnerabilities in Azure Kubernetes Service Clusters

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L3 Networker
No ratings

By Mark Davis, Customer Success Engineer



A common customer question is how to view host vulnerabilities in the Asset Inventory for each Cloud Service Provider. In this article, we will focus on Azure, following up with articles for GCP and AWS.  


Kubernetes is a popular container orchestration tool.  Most Cloud Service Providers have a managed offering.  Azure has AKS, Google offers GKE, AWS has EKS and Red Hat offers RedHat openshift.   The container workloads for all of these managed offerings run on host machines and those machines can contain vulnerabilities.

The Prisma Cloud Command Center dashboard is the first high level dashboard that provides visibility into Vulnerabilities, and its purpose is to identify top issues by severity for hosts and images.  In order to filter based on a host name, severity or how many resources it will display, it is recommended to explore the asset inventory.


Figure 1 - Command Center Main Dashboard_palo-alto-networks  



Figure 2 - Command Center Top Vulnerable Hosts Dashboard_palo-alto-networks  


The updated Asset Inventory can now allow you to view host vulnerabilities that previously required you to view from the Compute module.  At a later point in the article, we will cover how to view vulnerabilities in your Azure kubernetes worker nodes directly from the Asset Inventory and Asset explorer page.


The host vulnerabilities in question will exist on the kubernetes service worker nodes.  To view the worker nodes with vulnerabilities, we need to first identify the names they are assigned in Azure.  The Azure kubernetes service creates a resource group during cluster creation that begins with “MC_” . Normally it will contain the syntax of the resource group used and the cluster name.  The worker nodes, NSG’s, Disks, Route Tables and all of the other resources required to run the cluster are placed in this MC_ resource group.  


The below steps will show you how to locate the worker nodes names using the Azure GUI and CLI.

Note: If you already have the worker node names you can skip to step 4.

If you have access to the aks cluster and the .kube/config, the CLI is the fastest way to capture the worker node names.


How to Find the Resource Names in Azure Kubernetes Nodes GUI Method

The detected vulnerabilities will not show up under the Azure Kubernetes service in the Prisma Cloud Asset Inventory dashboard, or after selecting the service to view multiple clusters.  The below screenshot shows the Azure kubernetes service in the Asset Inventory view. We notice how under the vulnerabilities column nothing is reported under vulnerabilities.  This is because the vulnerabilities will report under the actual worker nodes, not the AKS service.



Figure 3 We need to first locate the k8s node pool names that were assigned in Azure._palo-alto-networks 


Step 1. 


Log into the Azure portal - from the search bar at the top, type KUBERNETES SERVICES. Select the purple kubernetes services icon on the left: 



Figure 4_palo-alto-networks 


Step 2.


Select the name of your k8s cluster from the list displayed, there may be several,  select by clicking the one of interest to you:



Figure 5_palo-alto-networks 


Step 3.


The next page displays the overview, resources, settings and monitoring parameters for the selected cluster.  Under settings, click Node Pools:



Figure 6: Settings > Node pools _palo-alto-networks 


Step 4.


The next page will display the Node pool name as well as node count and state.  Click on the tab to the right of node pools named Nodes.

This tab will list out the full name of the virtual machine scale set node name.

We need to capture the node names like the example A listed below.


Example A - aks-nodepool1-25461263-vmss000000


Figure 7  - Nodes _palo-alto-networks 


The first 3 names and numbers between the hyphens suffice to locate the resources in Prisma Cloud. (aks-nodepool1-17089374)


How to Find the Resource Names in Azure Kubernetes Nodes CLI method

The below steps are how to locate the k8s node names from the Azure Cloud Shell or CLI. 


Step 5.


Log into the Azure Portal, to the right of the search bar click on the cloud shell icon.



Figure 8 - Azure Portal_palo-alto-networks 


Step 6.


Authenticate to your cluster and type kubectl get nodes



Figure 9: CLI _palo-alto-networks 


Step 7.


Collect the node name from the output.

Step 8.


Now that you have the node names, we need to log into Prisma Cloud. Once you have logged in, please go to Inventory and select the Assets.



Figure 10: Inventory > Assets_palo-alto-networks   


From the Inventory Assets Page, add a filter as shown below

Date: Most Recent

Cloud Type: Azure

Service Name: Azure Compute

Asset Type: Azure Virtual Machine



Figure 11 - Assets - Inventory Filtered_palo-alto-networks  


The filtered results will be displayed at the bottom of the page.  Click on the total number of assets listed for Azure Compute.



Figure 12: Service Name > Azure Compute > Total_palo-alto-networks  


This will take you to the Asset Explorer page and the below filters will be applied.


Service Name = Azure Compute

Cloud Type = Azure

Date = Most Recent

Resource Type = Azure Virtual Machine


Figure 13: Asset Explorer_palo-alto-networks   


The applied filter will display the results of all of the virtual machines running in the Azure subscription or tenant.  This page also provides visibility into the alerts and vulnerabilities we are looking for on the AKS worker nodes.


Figure 14: Asset Explorer Details_palo-alto-networks   


To locate the worker nodes we identified in the earlier steps from this list, we need to filter by the node names we collected from using the GUI or CLI method.


Type in the node name in the search bar to the far right, and click the search button. 

Note: You only need to search by a subset of the nodes name. IE (aks-nodepool1-25461263-vmss)



Figure 15: Search bar_palo-alto-networks  


The Asset Explorer will now display the worker nodes in your AKS cluster as well as all of the alerts, severities and vulnerabilities.




  • If the worker node does not display when you hit search, shorten the name by a few characters and also verify all of the records have been loaded by clicking Load More at the bottom left portion of the page.
  • Click the Hide and Show column button to remove columns that you are not interested in viewing.



Figure 16: Asset Explorer_palo-alto-networks  


How is this information helpful?


The details in the Asset Explorer page expand on the visibility you get from Compute\Monitor\Vulnerability\Hosts by providing additional information about tags, related items and the worker nodes audit trail.

What’s Next on the Asset Explorer page?


You can download this high level view by clicking the download link for a csv file to be shared and reviewed.



Figure 17: Download csv_palo-alto-networks  



Figure 18: CSV file_palo-alto-networks  


Clicking on any of the vulnerabilities will display a sidecar page found will display the Type, CVE name and Risk factor.



Figure 19 - Vulnerabilities _palo-alto-networks  


Placing the cursor over the Risk factor will display the attack complexity, attack vector and severity details.



Figure 20 - Risk Factor_palo-alto-networks  


Downloading this report will create an external findings csv file that contains all of the vulnerabilities for the selected host. This report can be given to a team to remediate from the Asset Explorer dashboard in Prisma Cloud. 



Figure 21: CSV output_palo-alto-networks  




In summary, this article guides you through the steps to  view host vulnerabilities in your Azure Kubernetes worker nodes directly from the Asset Inventory and Asset explorer page. Also included the process to locate the node names for a given AKS cluster using the Azure Portal and the CLI.  Once we identified the names, we used filters in the Asset Inventory page to view vulnerability data that normally is displayed in Compute.  Using the Asset Explorer is another way to obtain visibility into your environment and review the audit trail. 



Prisma Cloud Admin 

Prisma Cloud Dashboards -- Asset Inventory 


About the Author


Mark Davis is a Customer Success Engineer on the Prisma Cloud team, specializing in solving enterprise customer questions by empowering the customers with knowledge and guidance in protecting cloud resources and workloads. 



Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎03-04-2024 09:39 AM
Updated by: