AgentBaker Log Collector Addition Triggering Azure Defender for Containers

What happened: On upgrading to the latest image / AKS 1.27.7, the cloud-init run has caused 50+ Medium Severity Alerts from Defender for Containers for kubelet config file access

Introduced by #3991

What you expected to happen: Log collectors should not trigger microsoft's own runtime protection detection's and should be sanity checked against it prior.

How to reproduce it: During an upgrade to image 202402.07.0, have Microsoft Defender for Containers runtime protection enabled.

Potential Fixes Potentially rewriting this may escape it from microsofts detections, elsewise some support in routing this to the AKS Security team at Microsoft so they can optimize their alerts would be appreciated, while we can just ignore set conditions for now surely other customers must be impacted.

Environment:

AgentBaker version: Unknown
Kubernetes version (use kubectl version): 1.27.7
OS (e.g. from /etc/os-release): AKSUbuntu-2204 gen2containerd-202402.07.0 202402.07.0
Kernel (e.g. uname -a): 5.15.0-1054-azure
Everything else here https://github.com/Azure/AgentBaker/blob/master/vhdbuilder/release-notes/AKSUbuntu/gen2/2204containerd/202402.07.0.txt

FYI @phealy @cameronmeissner

Feb 15 '24 16:02 kaovd

Thanks for pointing this out - we're looking at it now.

Feb 15 '24 16:02 phealy

That got included accidentally when I did a batch pull of some relevant files - I've removed kubeconfig from the collected files list.

Feb 15 '24 17:02 phealy

@kaovd Azure Defender should no longer be alerting on this - can you please confirm?

Feb 15 '24 19:02 phealy

Hi,

Can confirm these no longer seem to be appearing, thanks.

Feb 16 '24 21:02 kaovd

fixed in https://github.com/Azure/AgentBaker/pull/4357

Jun 28 '24 19:06 cameronmeissner