July 18, 2025July 18, 2025 Azure Kubernetes Cluster update & security I just found out (when I was starting to evaluate new features in Azure Kubernetes Services) that the Kubernetes Cluster creation in Azure portal have changed.I mean there are new features published in June 2025. These are actually quite nice because most of times when I have evaluated customers Azure security status the AKS has shown a lot of security issues. So let’s find out.There are also some Defender for Cloud related options to choose later described in the post. Those have come to AKS during Jan-June 2025. Table of Contents Security options in Cluster creation process I found out that there are new options to enable automatic patching for cluster to a newer version of Kubernetes and schedule it if necessary. So if you upgrade your cluster, you can choose whether to upgrade only the control plane or to also upgrade all node pools.This helps and reduce manual work because infrastructure maintenance windows are usually very short and there are lot to do.This also helps customer security pain because if these upgrades and patches are automated at least cluster and node security levels are in recommended level. Cluster automatic update If you select to enable automatic cluster upgrade you will need to choose from 4 “enabled” options. Otherwise you choose “disable” and clusters need to be updated manually.“Any upgrade operation, whether performed manually or automatically, upgrades the node image version if it’s not already on the latest version. The latest version is contingent on a full AKS release and can be determined by visiting the AKS release tracker.Auto-upgrade first upgrades the control plane, and then upgrades agent pools one by one.” -MS LearnLink to for more information about choices in MS learn. (reference to the image below)Link to maintenance scheduling in MS Learn. AKS cluster automatic upgrade selection Node security channel Also it is possible to enable cluster node OS patching with three options. Link to node OS automatic update channels and descriptions in MS learn. Reference to image below. AKS node OS automatic patching Defender for Cloud related options There are four selectable security options in Cluster creation.OpenID ConnectWorkload IdentityImage cleanerAzure Key Vault Link to node OS automatic update channels and descriptions in MS learn. Reference to image below.There are also Container security features like alerts, security recommendations and vulnenarabilities available with Defender for Containers plan. See my post about workload protections. OpenID Connect OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol for use as another authentication protocol issued by Microsoft Entra ID. You can use OIDC to enable single sign-on (SSO) between OAuth-enabled applications on your Azure Kubernetes Service (AKS) cluster by using a security token called an ID token. With your AKS cluster, you can enable the OpenID Connect (OIDC) issuer, which allows Microsoft Entra ID, or another cloud provider’s identity and access management platform, to discover the API server’s public signing keys.More info in MS Learn. Entra Workload ID Workloads deployed on an Azure Kubernetes Services (AKS) cluster require Microsoft Entra application credentials or managed identities to access Microsoft Entra protected resources, such as Azure Key Vault and Microsoft Graph. Microsoft Entra Workload ID integrates with the capabilities native to Kubernetes to federate with external identity providers.More info in MS Learn. Image cleaner When deploying images to Azure Kubernetes Service (AKS), leftover unreferenced images can accumulate, creating security risks due to potential vulnerabilities. Manual cleanup is inefficient. Using Image Cleaner automates identification and removal of these stale images, enhancing security and saving time. More info in MS Learn. Azure Key Vault for CSI secrets The Azure Key Vault provider for Secrets Store CSI Driver allows for the integration of an Azure Key Vault as a secret store with an Azure Kubernetes Service (AKS) cluster via a CSI volume.More info in MS Learn. Defender for Cloud options in AKS creation Jussi Metso Author is a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe SECURITY
AI Security Copilot refresh February 8, 2025February 8, 2025 Microsoft Security Copilot is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale. Read More
AI Few words about AI Security September 28, 2024September 29, 2024 Hello all. we have a new sector in Security business. It’s called AI Security. I will reveal some of it in this post. Read More
AI AI LLM attacks & how Microsoft Security products will help to reduce the Attack Surface November 24, 2024November 24, 2024 This post is the first part of my presentation which I held at Microsoft AI Summit Finland last October. In that presentation I handled topics like LLM attacks, risks, their prevention and mitigations. Also Azure related AI security topics. Read More