Skip to main content

How to Import Azure Kubernetes Service (AKS) Containers

The Cado platform allows you to collect key logs and forensic artifacts from containers running in Azure Kubernetes Service (AKS).

Known Limitations

  • Cado can acquire artifacts from containers built with distroless containers using Cado Host only. Containers with the gcr.io/distroless image tag will be hidden. For more details, see Kubernetes Deployments.
  • Cado will hide pods running under the following namespaces, which are generally system-level namespaces running a distroless environment:
    • kube-system, kube-public, kube-node-lease
    • gke-gmp-system, aks-command
    • gmp-system, calico-system, tigera-operator

Import Steps

  1. Navigate to Import > Cloud.

    Cado Import Screen showing the AKS options

  2. Select the Azure credentials configured under Azure > Cross Subscription and Tenancy.

  3. Choose the resource group associated with the AKS cluster.

  4. Follow the steps to select your Cluster, Pod, and Container.

    Cado Import Screen showing the available AKS Clusters

  5. Confirm the details and click Start Import.

Cado will automatically collect all key logs and forensic artifacts from the container for investigation. For most acquisitions, the import and processing will take just a few minutes to complete.

Cado showing the confirmation screen of a successful AKS container capture

Private Cluster Support

As of release v2.31.0, the Cado platform supports capturing data from AKS Private Clusters. This functionality is achieved using the Azure Command Invoke APIs.

There are two key considerations with this method:

  1. Capturing from a private cluster is significantly slower than from a public cluster.
  2. The Azure API spins up a pod within the cluster to execute Cado Host. Ensure that your cluster has enough resources and nodes to schedule this command pod.

The newly created pod will automatically shut down and remove itself after 1 hour.

Scoping Down the Role for Access to AKS

The Cado platform requires specific permissions to access and execute code in containers. You can use the following role definition to limit the permissions required for Cado to access and acquire data from AKS:

Scoped down AKS role

{
    "id": "",
    "properties": {
        "roleName": "ScopedDownAKSTest",
        "description": "",
        "assignableScopes": [
            ""
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Resources/subscriptions/operationresults/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.ContainerService/managedClusters/read",
                    "Microsoft.ContainerService/managedClusters/runCommand/action",
                    "Microsoft.ContainerService/managedClusters/commandResults/read",
                    "Microsoft.ContainerService/managedClusters/privateEndpointConnections/read",
                    "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}