Skip to main content

Azure Kubernetes Service

The Cado platform will collect key logs and forensic artifacts from Azure Kubernetes Service containers.

info

Please use Cado Host to acquire distroless Containers.

Import Steps

  1. Go to Import > Cloud

Cado Import Screen showing the AKS options

  1. Choose the Azure Credenitals configured in Azure > Cross Subscription and Tenancy

  2. Choose the resource group the AKS cluster is attached to.

  3. Go through the steps to choose your Cluster, Pod and Container:

Cado Import Screen showing the available AKS Clusters

  1. Confirm the details and click Start Import

Cado will now automatically collect all the key logs and forensic artifacts from the container to enable an investigation. For a typical acquisition, import and processing will take a few minutes to complete.

Cado showing the confirmation screen of a successful AKS container capture

info

Private Cluster Support

As of release v2.31.0, the Cado platform now supports capture of AKS Private Clusters. It should be noted that the Cado platform uses the Azure Command Invoke APIs to achieve this functionality.

There are two main caveats to this method:

  1. The process is consideribly slower than capturing a Public Cluster
  2. The Azure API will spin up a pod inside the cluster to execute Cado Host, make sure that there are enough nodes and resources in your cluster to schedule this command pod.

The newly created pod will shutdown and remove itself after 1 hour.

Scoping Down The Role for Access to AKS

The Cado platform requires permissions to access and execute code against containers. The following role definition can be used to scope down the permissions required for the Cado platform to access and acquire data from AKS:

Scoped down AKS role

{
    "id": "",
    "properties": {
        "roleName": "ScopedDownAKSTest",
        "description": "",
        "assignableScopes": [
            ""
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Resources/subscriptions/operationresults/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.ContainerService/managedClusters/read",
                    "Microsoft.ContainerService/managedClusters/runCommand/action",
                    "Microsoft.ContainerService/managedClusters/commandResults/read",
                    "Microsoft.ContainerService/managedClusters/privateEndpointConnections/read",
                    "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}