Kubernetes Integration for Microsoft AKS

Note: This integration is currently in open beta.

Overview

The Mend.io Kubernetes (K8s) integration can connect with your Microsoft AKS service using your provided access and secret keys.

Prerequisites before you Configure Mend’s Kubernetes Integration for Microsoft AKS

• Your Mend user must be an organization administrator.

• Private-only AKS clusters are not supported.

Example AKS Configuration

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: readonly-clusterrole
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: readonly-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: readonly-clusterrole
subjects:
- kind: Group
  name: readonly-group
  apiGroup: rbac.authorization.k8s.io

Set up the Mend Kubernetes Integration for Microsoft AKS in the Mend AI Native AppSec Platform UI

As an administrator, navigate to the Integrations page and click the Microsoft AKS integration card:

This will spawn the integration setup wizard.

Step 1 - General Details

1. Fill in the desired Display Name (mandatory).

2. Add a Description (optional).

3. Select the Environment (Production/Dev/QA/Staging). (Mandatory; multi-selection is supported).

Step 2 - Authentication

Fill in the following authentication details for your Microsoft AKS:

• Tenant (Directory) ID (mandatory)

• Subscription ID (mandatory)

• Client (Application) ID (mandatory)

• Client Secret (mandatory)

• Resource Group (optional)

Once all mandatory fields are filled, the Test Connection button will become clickable. Use it to verify connectivity and proceed to the next step.

Step 3 - Clusters

The summary of detected clusters will be displayed. Click Next to proceed to the next step.

Step 4 - Configuration

Fill in the Configuration information to define your scan schedule:

• Enable Schedule - Toggle off to disable scheduling.

• Scan Time

• Frequency

• Scan on Connect - While toggled on, it means a scan will be triggered automatically once the integration setup is completed.

• Scan System Namespaces: Toggle on to include otherwise skipped Kubernetes namespaces (i.e., kube-system, kube-public and kube-node-lease), which represent Kubernetes system components rather than customer workloads. Disabled by default.

Scheduling Kubernetes image scans is crucial for maintaining the security and integrity of your container images. By default, a scan interval of 7 days will be applied. You can change the scan interval in 1-day increments or select specific days of the week when you wish for scans to be executed.

Note: After the first scan (in which the latest 10 tags are scanned), in every scheduled scan only newly pushed images from the registry or changed images will be scanned. This is because vulnerability and package updates occur automatically in an asynchronous manner, keeping the security information up-to-date without requiring new scans.

Click the Next () button at the bottom right to move on to the next step.

Step 5 - Summary

In this step, the summary of your input from the previous steps will be displayed. You can go back to the previous screens of the wizard to make changes, by clicking the ‘Back’ button at the bottom right corner of the screen. If you wish to confirm your configuration and add your registry, click the ‘Done’ button:

Update the Configuration for an Existing Integration

After the integration is set up, you can edit its configuration by following these steps:

• Navigate to your Profile → Integrations → My integrations

  

• Locate the desired integration and select Edit from the Actions menu on the right.

  

• This will take you through the setup wizard, starting from the authentication step.