AKS icon indicating copy to clipboard operation
AKS copied to clipboard

Published 20 hours ago verified publisher icon Azure

[Feedback] Safeguard may trigger Defender alert

Open JoeyC-Dev opened this issue 3 months ago • 0 comments

Describe your scenario I have a karpenter-based AKS enabled with --safeguards-level Warning. AKS is created on 2024-03-26. The alert is being triggered on 2024-04-01.

There is no other application (other than approuting and network observability) being deployed. I simply just put it there and doing nothing. image

Alert name: Suspicious invocation of a high-risk 'Persistence' operation detected (Preview) User Agent: aks-guardrails/v20240317 azsdk-go-armpolicy.AssignmentsClient/v0.8.0 (go1.21.8 X:nocoverageredesign; linux) MITRE ATT&CK tactics: Persistence Related resource:

  • /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rG/providers/microsoft.containerservice/managedclusters/aks/providers/microsoft.authorization/policyassignments/aks-deployment-safeguards-policy-assignment
  • /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rG/providers/microsoft.containerservice/managedclusters/aks

Since I did not put my own Pod on AKS, so I believe the default behavior caused this.

The command I used to create AKS:

az aks create --name ${AKS_NAME} --resource-group ${AKS_RG} \
--network-plugin azure --network-plugin-mode overlay --network-dataplane cilium \
--pod-cidr x.x.x.x/x \
--vnet-subnet-id ${AKS_VNET} \
--service-cidr x.x.x.x/x \
--dns-service-ip x.x.x.x \
--max-pods 250 \
--nodepool-name agentpool \
--node-vm-size Standard_B2ms \
--zones 1 2 3 \
--nodepool-taints CriticalAddonsOnly=true:NoSchedule \
--node-count 2 \
--node-provisioning-mode Auto \
--node-os-upgrade-channel NodeImage \
--auto-upgrade-channel patch \
--ssh-access disabled \
--nrg-lockdown-restriction-level ReadOnly \
--enable-app-routing \
--enable-managed-identity \
--assign-identity ${AKS_MANAGED_IDENTITY} \
--assign-kubelet-identity ${AKS_MANAGED_IDENTITY} \
--enable-apiserver-vnet-integration --apiserver-subnet-id ${AKS_API_SUBNET} \
--enable-addons azure-policy \
--tier standard \
--enable-network-observability \
--enable-vtpm \
--enable-secure-boot \
--safeguards-level Warning

Note: although I did not use --enable-defender in the command, the Defender can be automatically being installed due to Azure policy.

Feedback I believe the default behavior should not trigger such an alert from Defender for Cloud. If the behavior is intended and secure, can you make it (like policyassignments/aks-deployment-safeguards-policy-assignment) being whitelisted by default, so users won't be worried about this?

JoeyC-Dev avatar May 02 '24 02:05 JoeyC-Dev