A SIEM usecase or forensic security alert for Azure Kubernetes Service AKS should be setup for az aks get-credentials
as it reveals sensitive data of AKS.
Example for Azure Cloud Shell Bash:
azureksmoq [ ~ ]$
azureksmoq [ ~ ]$ az aks get-credentials --resource-group rgaks04app23 --name AKS04
Merged "AKS04" as current context in /home/azureksmoq/.kube/config
azureksmoq [ ~ ]$
azureksmoq [ ~ ]$
azureksmoq [ ~ ]$ cat /home/azureksmoq/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZ[...]RVJUSUZJQ0FURS0tLS0tCg==
server: https://mykubernetescluster-dns-[...].hcp.eastus.azmk8s.io:443
name: AKS04
contexts:
- context:
cluster: AKS04
user: clusterUser_rgaks04app23_AKS04
name: AKS04
current-context: AKS04
kind: Config
preferences: {}
users:
- name: clusterUser_rgaks04app23_AKS04
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ[...]RS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJV[...]0VZLS0tLS0K
token: bl0c8ko2[...]73m4ltf
azureksmoq [ ~ ]$
azureksmoq [ ~ ]$
This command can be helpful for developers or admins - but it is dual use as it reveals sensitive information. I recommend increasing your SIEM risk score or even make a use case with alerting.
Azure Documentation
Microsoft documentation for az aks get-credentials
can be found here: https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-get-credentials or see here: https://azure.github.io/kubelogin/quick-start.html. See also https://learn.microsoft.com/en-us/azure/aks/control-kubeconfig-access
Get access credentials for a managed Kubernetes cluster.
By default, the credentials are merged into the .kube/config file so kubectl can use them. See -f parameter for details.
az aks get-credentials --name
--resource-group
[--admin]
[--context]
[--file]
[--format]
[--overwrite-existing]
[--public-fqdn]
Examples
Get access credentials for a managed Kubernetes cluster. (autogenerated)
az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
--name -n
Name of the managed cluster.
--resource-group -g
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
--admin -a
Get cluster administrator credentials. Default: cluster user credentials.
--context
If specified, overwrite the default context name. The --admin
parameter takes precedence over --context
.
--file -f
Kubernetes configuration file to update. Use "-" to print YAML to stdout instead.
default value: ~\.kube\config
--format
Specify the format of the returned credential. Available values are
["exec", "azure"]. Only take effect when requesting clusterUser
credential of AAD clusters.
--overwrite-existing
Overwrite any existing cluster entry with the same name.
--public-fqdn
Get private cluster credential with server address to be public fqdn.
Global Parameters
--debug
Increase logging verbosity to show all debug logs.
--help -h
Show this help message and exit.
--only-show-errors
Only show errors, suppressing warnings.
--output -o
--query
--subscription
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
--verbose
Increase logging verbosity. Use --debug for full debug logs.