daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cloud/azure/aks/azure-aks-cni-not-configure...

56 lines
2.0 KiB
YAML
Raw Permalink Blame History

id: azure-aks-cni-not-configured
info:
name: Azure AKS Not Using CNI Mode
author: princechaddha
severity: medium
description: |
Ensure that Azure Kubernetes Service (AKS) clusters are configured to use the Azure Container Networking Interface (CNI) mode instead of the default Kubenet networking mode to enhance the segregation of resources and controls in an enterprise environment.
impact: |
Using the default Kubenet networking mode instead of Azure CNI can lead to less efficient resource control and segregation, which might pose a risk to enterprise environments.
remediation: |
Configure AKS clusters to use Azure CNI by setting the networkProfile.networkPlugin to 'azure' during AKS cluster setup or update the existing AKS clusters to use Azure CNI.
reference:
- https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni
tags: cloud,devops,azure,microsoft,aks,azure-cloud-config
flow: |
code(1);
for (let clusterData of iterate(template.clusterList)) {
clusterData = JSON.parse(clusterData);
set("name", clusterData.name);
set("resourceGroup", clusterData.resourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az aks list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'
extractors:
- type: json
name: clusterList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az aks show --name "$name" --resource-group "$resourceGroup" --query 'networkProfile.networkPlugin'
matchers-condition: and
matchers:
- type: word
words:
- "kubenet"
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " is using Kubenet instead of Azure CNI"'
# digest: 490a0046304402200c1f0786613afcab7ef8439c2b38e9d928640eb7ba8e7e6c055a61e5aab76d0502202acc8b6ef94311059a05920c9998d965097b301353b57cf62b821c5d4b15fb0b:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink