Ensure Azure AKS cluster monitoring is enabled

Error: Azure AKS cluster monitoring is not enabled

Bridgecrew Policy ID: BC_AZR_KUBERNETES_1
Checkov Check ID: CKV_AZURE_4
Severity: LOW

Azure AKS cluster monitoring is not enabled

Description

The Azure Monitoring service collects and stores valuable telemetry reported by AKS. This includes: memory and processor metrics for controllers, nodes and containers logs, and logs from the individual containers. This data is accessible through Azure Log Analytics for the AKS cluster and Azure Monitor instance.

We recommend storing memory and processor metrics from containers, nodes, and controllers. This enables strong real-time and post-mortem analysis of unknown behaviors in AKS clusters.

Fix - Runtime

CLI Command

To enable Azure Monitor for an existing AKS cluster, use the following command:

az aks enable-addons 
-a monitoring -n rg-weu-my-cluster -g rg-weu-my-cluster-group
--workspace-resource-id 4ab81b6f-c07d-d174-ef26-f4344bad14a

Use the default Log Analytics workspace:

az aks enable-addons 
-a monitoring -n rg-weu-my-cluster -g rg-weu-my-cluster-group

This will take a few moments. When complete, you can verify using the show command:

az aks show -n rg-weu-my-cluster -g rg-weu-my-cluster-group

This provides general AKS information, including the following portion for:

addonProfiles
"addonProfiles": {
    "omsagent": {
      "config": {
        "logAnalyticsWorkspaceResourceID":
        "/subscriptions/GUID/resourcegroups/defaultresourcegroup-weu/providers
        /microsoft.operationalinsights/workspaces/defaultworkspace-GUID-weu"
      },
      "enabled": true
    }
  },

Fix - Buildtime

Terraform

  • Resource: azurerm_kubernetes_cluster
  • Argument: log_analytics_workspace_id
resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_kubernetes_cluster" "example" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }

  addon_profile {
    oms_agent {
      enabled                    = true
      log_analytics_workspace_id = "workspaceResourceId"
    }
  }

  tags = {
    Environment = "Production"
  }
}

output "client_certificate" {
  value = azurerm_kubernetes_cluster.example.kube_config.0.client_certificate
}

output "kube_config" {
  value = azurerm_kubernetes_cluster.example.kube_config_raw
}

ARM Template

  • Resource: Microsoft.ContainerService/managedClusters
  • Argument: logAnalyticsWorkspaceResourceID
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "aksResourceId": {
      "type": "string",
      "metadata": {
        "description": "AKS Cluster Resource ID"
      }
    },
    "aksResourceLocation": {
      "type": "string",
      "metadata": {
        "description": "Location of the AKS resource e.g. \"East US\""
      }
    },
    "aksResourceTagValues": {
      "type": "object",
      "metadata": {
        "description": "Existing all tags on AKS Cluster Resource"
      }
    },
    "workspaceResourceId": {
      "type": "string",
      "metadata": {
        "description": "Azure Monitor Log Analytics Resource ID"
      }
    }
  },
  "resources": [
    {
      "name": "[split(parameters('aksResourceId'),'/')[8]]",
      "type": "Microsoft.ContainerService/managedClusters",
      "location": "[parameters('aksResourceLocation')]",
      "tags": "[parameters('aksResourceTagValues')]",
      "apiVersion": "2018-03-31",
      "properties": {
        "mode": "Incremental",
        "id": "[parameters('aksResourceId')]",
        "addonProfiles": {
          "omsagent": {
            "enabled": true,
            "config": {
+             "logAnalyticsWorkspaceResourceID": "[parameters('workspaceResourceId')]"
            }
          }
        }
      }
    }
  ]
}

Did this page help you?