Security in Azure Managed Kubernetes Service (AKS)

5/8/2018

I am trying to get more documentation, understanding about security in Azure Managed Kubernetes Service (AKS).

  1. Does Azure encrypt the containers deployed to the AKS cluster at "rest"? If so, how is data encryption achieved at rest, and in motion?
  2. What are the ways to achieve SSL/TLS in AKS, any documentation is appreciated.

Thanks in advance

-- aazeem
azure-aks
azure-container-service
azure-kubernetes

2 Answers

5/10/2018

I would welcome a more authoritative answer, but as far as I have determined managed disks are always encrypted (https://azure.microsoft.com/en-us/blog/azure-managed-disks-sse/), but the worker nodes are not encrypted by default. It would be necessary to run az vm encryption enable on every node (quite a chore if you are scaling up and down!). If you do that you should be covered, though.

As for SSL/TLS Kubernetes supports TLS for Ingress, see https://kubernetes.io/docs/concepts/services-networking/ingress, but I haven't tested it in AKS. We are using our own Nginx server as gateway and with that approach you can use any TLS tutorial out there. We feel that we have more control that way.

-- ewramner
Source: StackOverflow

6/14/2018

I can definitely tell you TLS termination is supported in AKS. I've been able to implement this.

HTTPS Ingress on Azure Kubernetes Service (AKS)

This documentation is slightly out of date though. You should use cert-manager instead of KUBE-LEGO.

-- kduenke
Source: StackOverflow