Create a Free Azure Kubernetes Service and Assess Security By Tenable Cloud Security

倾城 好物分享

Use Azure Kubernetes Service to create and manage Kubernetes clusters. Azure will handle cluster operations, including creating, scaling, and upgrading, freeing up developers to focus on their application. To get started, create a cluster with Azure Kubernetes Service.

Here we are using a free tier Azure subscription as an example to show the process to create your testing Kubernetes Cluster with node pool. 

Azure Kubernetes Labs : https://azure-samples.github.io/aks-labs/

Create Kubernetes Cluster

Create Kubernetes Cluster

Basics:

Node Pools
change node size for default system pool. 

Since we only can use 4vCPU for free tier, I choosed 4vCPU and 16 GB memory's standard D4pds v5 size node, and limit to 1 node count only. 

Others will be default and no changes for configurations. Or you can use 1 2vCPU and 8 G memory for your system and one same size for your user.
Click Create after validation passed. 
It will take a couple of minutes (4 minutes 8 seconds) to get it deployed. 

Change Authentication and Authorization method:

  • Local accounts with Kubernetes RBAC
    • Use built-in Kubernetes role-based access control for authorization checks on the cluster.
  • Microsoft Entra ID authentication with Kubernetes RBAC
    • Use built-in Kubernetes role-based access control for authorization checks on the cluster.
  • Microsoft Entra ID authentication with Azure RBAC
    • Use Azure role assignments for authorization checks on the cluster.
This step is important. It will allow Tenable App to scan Kubernetes with RBAC role. 

Add Kubernetes Clusters into Tenable Cloud Security

Agent - Require Enterpirse license

You can scan the following Kubernetes workloads for vulnerabilities by leveraging a Helm chart command to connect relevant clusters in your environment:

  • Cloud-managed (EKS/AKS/GKE/OKE)
  • Unmanaged (virtual machines running Kubernetes clusters)

You can enable this feature by using the command to install a sensor in the cluster.

The sensor queries your package-manager and installed libraries to determine what software is installed on the host, as well as the container images running on the node. The sensor then sends this software inventory back to Tenable for further analysis.

Agent-based protection provides deep visibility and real-time security by deploying a lightweight sensor on each workload, making it ideal for continuous monitoring and active threat defense. See Agent-Based Kubernetes Workload Scanning for more information.

How it works:

  • Deploys a lightweight sensor on each workload for deep visibility and real-time monitoring.
  • Can be deployed on both Kubernetes and Red Hat OpenShift container orchestration platforms.
  • Supported for cloud-managed, unmanaged, and on-premises clusters.

Why choose agent-based?

  • Near real-time security. Enables continuous monitoring, threat detection, and active defense. Provides in-depth visibility into workloads.
  • On-premises coverage. Scan on-premises Kubernetes clusters, particularly in environments where agent-less scanning is unsupported or impractical.
  • Compliance requirements. Some organizations cannot send private data outside their environment, making agent-based scanning a preferred option over agentless outpost scanning.
Add Cluster via Helm: 
Inventory - Kubernetes Clusers - Add Clusters via Helm

Perform the following steps for clusters that you want to connect to Tenable Cloud Security.

1. Install Helm as a package manager for Kubernetes. Please refer to Helm’s documentation to get started.
2. Configure kubectl to connect to your Kubernetes cluster.
3. Run the following command to add the Tenable Helm chart repository:

  • helm repo add tenable https://charts.tenable.com

After you add repository tenable into system, you can run following commands from next screen:

Both Vulnerability Management and Admission Controller will need Enterprise License.

Kubernetes: Agentless

Agentless protection scans workloads via cloud provider APIs, allowing for quick security assessments without requiring agents or impacting performance. See Agentless Workload Scanning for more information.

How it works:

  • Scans workloads by integrating with cloud provider APIs—no installation required.
  • Provides rapid security assessments without impacting performance.

Why choose agentless?

  • Faster deployment. No agents to install or maintain.
  • Lower operational overhead. Reduces management complexity.
  • Ideal for compliance checks. Enables quick security posture assessments.

Connect Your K8S 

Click connect to get all commands to connect to your Kubernetes.

Open your Cloud Shell to run those commands

Requesting a Cloud Shell.Succeeded. Connecting terminal... Your Cloud Shell session will be ephemeral so no files or system changes will persist beyond your current session. MOTD: Azure Cloud Shell now includes Predictive IntelliSense! Learn more: https://aka.ms/CloudShell/IntelliSense VERBOSE: Authenticating to Azure ... VERBOSE: Building your Azure drive ... PS /home/jyan> az account set --subscription 2275a111-c7bb-4b44-bd77-e3b3333bb0b1 PS /home/jyan> az aks get-credentials --resource-group rg-k8-1 --name k8s-1 --overwrite-existing Merged "k8s-1" as current context in /home/jyan/.kube/config PS /home/jyan> 


PS /home/jyan> kubectl get deployments --all-namespaces=true NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE kube-system azure-wi-webhook-controller-manager 2/2 2 2 8m34s kube-system coredns 2/2 2 2 9m50s kube-system coredns-autoscaler 1/1 1 1 9m50s kube-system eraser-controller-manager 1/1 1 1 8m37s kube-system konnectivity-agent 2/2 2 2 9m50s kube-system konnectivity-agent-autoscaler 1/1 1 1 9m50s kube-system metrics-server 2/2 2 2 9m50s PS /home/jyan>

Add K8 Using Helm (Agent Based)

 

  • 1.
    Select the connector. It’s recommended to use a single connector for all clusters.
    test
  • 2.
    Select the account that the cluster will be associated with.
    Azure subscription 1
  • 3.
    Select the features you want installed.

    Resource Sync
    Gain visibility into the cluster’s resources to detect misconfigurations and trigger findings. 

    Learn more

    .

    Admission Controller
    Monitor and enforce policies that intercept Kubernetes requests. 

    Learn more

    .

    Enterprise license required

    Vulnerability Management
    Scan the cluster nodes and container images for vulnerabilities. 

    Learn more

    .

    Enterprise license required


4. Run the following command to install the Helm chart. You can use a single command for all of your clusters.

PS /home/netsec> helm repo update tenable && helm upgrade --install tenable-cloud-security-kubernetes-cluster tenable/cloud-security-kubernetes-cluster -n tenable-cloud-security-kubernetes-cluster --create-namespace --set apiKeyToken=ZWVhYWVmNWItMWwZkZS00YzLThiNWEtNzE4OWNiNzYwMzFkLmFlYzI1ZmJjLThmNWItNDA1S04NzJlLTliYzAwMWZmNWMz2ZS4dGF0REZKQ2ZBazRld1BDQUltem1tNqFhcktES1Bidw== --set apiUrl=https://us.app.ermetic.com/ --set containerImage.registryUsername=c-59183ef-b01c-4ca1-b9b-556385a01bc6 --set containerImage.registryPassword=sK2u2pKmB9ND6GTAG7UeFezfkkNSDdBjS3lrPh9knP+ACRCS8maF
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "tenable" chart repository
Update Complete. ⎈Happy Helming!⎈
Release "tenable-cloud-security-kubernetes-cluster" does not exist. Installing it now.
Error: failed pre-install: 1 error occurred:
        * job kubernetes-cluster-pre-install-job failed: BackoffLimitExceeded


You might got an error as show above. Here is the output if this command works well:

Hang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "tenable" chart repository Update Complete. ⎈Happy Helming!⎈ Release "tenable-cloud-security-kubernetes-cluster" has been upgraded. Happy Helming! NAME: tenable-cloud-security-kubernetes-cluster LAST DEPLOYED: Wed Oct 29 02:34:53 2025 NAMESPACE: tenable-cloud-security-kubernetes-cluster STATUS: deployed REVISION: 3 TEST SUITE: None PS /home/netsec>

It might because I deployed a sample app into Kubernetes. Not sure why it works later. 

After this step done, wait a couple of hours until sync completed, you will see Helm version. 

Agentless Scan

Tenable currently can do agentless scans on the following cloud workload components:

Component What Tenable Scans
Workloads
  • Virtual machines
  • Virtual machine images (AWS only)
  • Container images
  • Container registries
  • Kubernetes clusters
Operating systems LinuxWindows
Cloud provider AWS, Azure, GCP, OCI

For each of these components, Tenable detects:

  • General information (for example, OS type/version)
  • What software is installed
  • Is the software/OS kernel vulnerable to attack
  • If so, which vulnerabilities apply
  • Is the OS out-of-date or EOL (and therefore needs to be upgraded)

https://docs.ermetic.com/docs/agentless-workload-scanning

connect an Azure AKS Cluster in Tenable Cloud Security to get full visibility and risk assessment for all cloud identities and resources associated with the cluster, including information about permissions, subscription usage, and security configurations.

Until you complete the integration, objects and configurations associated with the cluster will not be analyzed or available for investigation in Tenable. A sync status is displayed for each Kubernetes cluster in the relevant inventory view, indicating whether Tenable can connect to the Kubernetes API, and helping you troubleshoot potential connection issues.

Step 1Grant Tenable permissions in one of the following ways, depending on which authentication/authorization method you use to configure your clusters:

  • AAD with Azure RBAC:
    • Assign built-in role bindings to the Tenable Cloud Security App
    • Add a custom Tenable role to your cluster/subscription
  • AAD with Kubernetes RBAC:
    • Create a ClusterRole and ClusterRoleBinding for Tenable

Note: Make sure enable AAD with Azure RBAC for your Kubernetes service. 

Step 2If you use Azure RBAC  (AAD with Azure RBAC) for your Kubernetes cluster authorization, you will need to do the following to grant Tenable permissions to the cluster:

  • Assign built-in Kubernetes-related role bindings to Tenable.

    These roles are assigned when you Connect an Azure Subscription to Tenable, but, depending on if/when you connected your subscription/s, may not have been assigned yet.

  • Add a custom Tenable role.

    The role bindings mentioned in the preceding bullet are limited in scope, and do not provide IAM visibility within Tenable Cloud Security. To gain full functionality, you will also need to add a custom role, to grant Tenable additional, read-only access permissions to see most objects in your namespace.

Step3 :   Assign Built-in Role Bindings to Tenable

  • If you already connected the Azure subscription where the cluster resides to Tenable, and just need to add Kubernetes-related permissions to a cluster, follow the procedure below.
  • If you did not yet connect the Azure subscription where the cluster resides, follow the procedure documented in Connect an Azure Subscription.

To assign role bindings:

  1. In the Azure portal, navigate to the Subscriptions page, and then click on the relevant subscription.

  2. Click Access control (IAM), and then click Add role assignment.

  3. On the Add role assignment page, search for and select one of the following roles, and then click Next:

    You can only add one role at a time, so you will need to perform these steps twice, once for each role.

    • Azure Kubernetes Service Cluster User Role
    • Azure Kubernetes Service RBAC Reader

  4. Under Assign access to, leave the default selection as User, group, or service principal.

  5. Under Members, click +Select members.

  6. Search for and select Tenable Cloud Security Connector App, and then click Select.

  7. Click Next, review the new role, and then click Review + assign.

  8. Repeat steps 1 through 7 to add the other role, depending on which role you already chose in step 3.

If you use Azure RBAC for your Kubernetes cluster authorization, and want to gain IAM visibility within Tenable not provided by the role bindings that you added to the Tenable App, add the following custom role JSON to your subscription. Refer to Azure documentation for more information about custom roles.

To add the Tenable role:

  1. In the Azure portal, navigate to the Subscriptions page, and then click on the relevant subscription.
  2. Click Access control (IAM), and then click Add > Add custom role.
  3. Navigate to the JSON tab and click Edit.
  4. Paste the following role to replace the contents of the JSON:

Replace {subscription Id} below with your Azure Subscription ID.

{ "properties": { "roleName": "Ermetic Azure Kubernetes Service Reader", "description": "Allows read-only access to see most objects in a namespace.", "assignableScopes": [ "/subscriptions/{subscription Id}" ], "permissions": [ { "actions": [ "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action" ], "notActions": [], "dataActions": [ "Microsoft.ContainerService/managedClusters/*/read" ], "notDataActions": [] } ] } }
JSON

  1. Click Save and then click Review + create.
  2. Review the new custom role, and then click Create.
  3. Return to the Access control (IAM) page and then click Add > Add role assignment.
  4. Search for and select Ermetic Azure Kubernetes Service Reader, and then click Next.
  5. Under Assign access to, leave the default selection as User, group, or service principal.
  6. Under Members, click +Select members.
  7. Search for and select Ermetic App, and then click Select.
  8. Click Next, review the new role assignment, and then click Review + assign.

Step5 : Allow Network Access to Tenable (Optional)

By default, it is open to Internet without limitation. 

For Tenable to access the cluster, the cluster endpoint needs to be publicly accessible, and the relevant Tenable IP addresses need to be allowed.

To allow network access:

  1. In the Azure Portal, navigate to Kubernetes services.

  2. Click on the relevant Cluster name.

  3. Under Settings, click on Networking.

  4. Under Security, click the checkbox to Set authorized IP ranges.

    Although Tenable can access the cluster when this setting is disabled, it does not follow security best practice to do so. Instead, this setting should be enabled, and the authorized network should be restricted to specific IP addresses, including those associated with Tenable.

  5. In the Specify IP ranges field that appears, add all Tenable IP addresses associated with your Tenable region.

  6. Click Apply.

(Notes) Tenable Cloud Core Service IP addresses for United States

18.118.214.30 us-east-2 United States
18.189.244.216 us-east-2 United States
3.142.27.15 us-east-2 United States
3.143.179.156 us-east-2 United States

Deploy a quickstart application

Make sure you have Azure Kubernetes Service RBAC Cluster Admin access. Add it from Access control (IAM).

Create a basic web application

Deploy the Azure Store sample application to your cluster to get started with Azure Kubernetes Service. You will get a chance to review the YAML file to see all of the application details before deploying it and you will be able to see the component resources once that deployment complete

Deployed:

Delete/Keep/Cancel
The resources you just created are meant to show you how to deploy an application. You can leave them running to continue to view and experiment with them or clean them up to free up space on your cluster. If you leave them running you can clean them up later by deleting the namespace shown below

Workloads

Namespaces

Access the service:

Check Results

Agentless 

Overview:

Findings:

IAM

You also can check each VM instance and VM Scale set's finding. 

Containers - Container Registries

References

  • https://docs.ermetic.com/docs/architecture-and-data-handling#tenable-ip-addresses-to-allow
  • https://azure-samples.github.io/aks-labs/
  • https://learn.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-app?tabs=azure-cli
  • https://learn.microsoft.com/en-us/azure/aks/learn/quick-kubernetes-deploy-portal?tabs=azure-cli

https://blog.51sec.org

版权声明:
作者:倾城
链接:https://www.techfm.club/p/226066.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>