Kubernetes Cluster Report: aks-0402-dev-uks
Powered by
.png)
Cluster Name: aks-0402-dev-uks
Kubernetes Version: v1.30.9
| π Nodes: 5 | π© Healthy: 5 | π₯ Issues: 0 |
| π¦ Pods: 80 | π© Running: 77 | π₯ Failed: 0 |
| π Restarts: 2 | π¨ Warnings: 0 | π₯ Critical: 0 |
| β³ Pending Pods: 0 | π‘ Waiting: 0 | |
| β οΈ Stuck Pods: 0 | β Stuck: 0 | |
| π Job Failures: 0 | π΄ Failed: 0 |
| Avg: 16 | Max: 24 | Min: 6 | Total Nodes: 5 |
β οΈ Total Not Ready Nodes: 0
| Node | Status | Issues |
|---|---|---|
| aks-systempool-19995743-vmss00000c | β Healthy | None |
| aks-systempool-19995743-vmss00000d | β Healthy | None |
| aks-systempool-19995743-vmss00000e | β Healthy | None |
| aks-workloadpool-10479701-vmss000004 | β Healthy | None |
| akswinnp000001 | β Healthy | None |
β οΈ Total Resource Warnings Across All Nodes: 2
| Node | CPU Status | CPU % | CPU Used | CPU Total | Mem Status | Mem % | Mem Used | Mem Total | Disk % | Disk Status |
|---|---|---|---|---|---|---|---|---|---|---|
| aks-systempool-19995743-vmss00000c | β Normal | 7.47% | 142 mC | 1900 mC | 🟡 Warning | 52.78% | 3448 Mi | 6533 Mi | 52% | β Normal |
| aks-systempool-19995743-vmss00000d | β Normal | 7.05% | 134 mC | 1900 mC | 🟡 Warning | 52.95% | 3459 Mi | 6533 Mi | 52% | β Normal |
| aks-systempool-19995743-vmss00000e | β Normal | 7.26% | 138 mC | 1900 mC | β Normal | 46.21% | 3019 Mi | 6533 Mi | 46% | β Normal |
| aks-workloadpool-10479701-vmss000004 | β Normal | 2.93% | 113 mC | 3860 mC | β Normal | 12.05% | 1758 Mi | 14584 Mi | 12% | β Normal |
| akswinnp000001 | β Normal | 0.42% | 8 mC | 1900 mC | β Normal | 29.61% | 1627 Mi | 5494 Mi | 29% | β Normal |
β οΈ Total Empty Namespaces: 3
| Namespace |
|---|
| default |
| kube-node-lease |
| kube-public |
β All DaemonSets are fully running.
β No pods with excessive restarts detected.
β No long-running pods detected.
β No failed pods found.
β No pending pods found.
β No CrashLoopBackOff pods found.
β No leftover debug pods detected.
β No jobs found in the cluster.
β No failed jobs found.
β οΈ Total Services Without Endpoints: 1
| Namespace | Service | Type | Status |
|---|---|---|---|
| kube-system | network-observability | ClusterIP | β οΈ No Endpoints |
β No unused PVCs found.
β οΈ Total RBAC Misconfigurations Detected: 9
| Namespace | Type | RoleBinding | Subject | Issue |
|---|---|---|---|---|
| kube-system | 🔹 Namespace Role | system::leader-locking-kube-controller-manager | ServiceAccount/kube-controller-manager | β ServiceAccount does not exist |
| kube-system | 🔹 Namespace Role | system::leader-locking-kube-scheduler | ServiceAccount/kube-scheduler | β ServiceAccount does not exist |
| kube-system | 🔹 Namespace Role | system:controller:cloud-provider | ServiceAccount/cloud-provider | β ServiceAccount does not exist |
| 🌍 Cluster-Wide | 🔸 Cluster Role | secretproviderrotation-rolebinding | ServiceAccount/secrets-store-csi-driver | β ServiceAccount does not exist |
| 🌍 Cluster-Wide | 🔸 Cluster Role | system:azure-cloud-provider | ServiceAccount/azure-cloud-provider | β ServiceAccount does not exist |
| 🌍 Cluster-Wide | 🔸 Cluster Role | system:azure-cloud-provider-secret-getter | ServiceAccount/azure-cloud-provider | β ServiceAccount does not exist |
| 🌍 Cluster-Wide | 🔸 Cluster Role | system:controller:route-controller | ServiceAccount/route-controller | β ServiceAccount does not exist |
| 🌍 Cluster-Wide | 🔸 Cluster Role | system:controller:service-controller | ServiceAccount/service-controller | β ServiceAccount does not exist |
| 🌍 Cluster-Wide | 🔸 Cluster Role | system:kube-dns | ServiceAccount/kube-dns | β ServiceAccount does not exist |
β οΈ Total Orphaned ConfigMaps Found: 12
| Namespace | Type | Name |
|---|---|---|
| default | 📜 ConfigMap | kube-root-ca.crt |
| gatekeeper-system | 📜 ConfigMap | kube-root-ca.crt |
| kube-node-lease | 📜 ConfigMap | kube-root-ca.crt |
| kube-public | 📜 ConfigMap | kube-root-ca.crt |
| kube-system | 📜 ConfigMap | azure-ip-masq-agent-config-reconciled |
| kube-system | 📜 ConfigMap | cluster-autoscaler-status |
| kube-system | 📜 ConfigMap | container-azm-ms-aks-k8scluster |
| kube-system | 📜 ConfigMap | coredns-autoscaler |
| kube-system | 📜 ConfigMap | extension-apiserver-authentication |
| kube-system | 📜 ConfigMap | kube-apiserver-legacy-service-account-token-tracking |
| kube-system | 📜 ConfigMap | kube-root-ca.crt |
| kube-system | 📜 ConfigMap | overlay-upgrade-data |
β οΈ Total Orphaned Secrets Found: 3
| Namespace | Type | Name |
|---|---|---|
| kube-system | 🔑 Secret | aad-msi-auth-token |
| kube-system | 🔑 Secret | azure-policy-webhook-cert |
| kube-system | 🔑 Secret | omsagent-aad-msi-token |
| ID | Check | Severity | Category | Status | Recommendation | URL |
|---|---|---|---|---|---|---|
| BP009 | Node OS Upgrade Channel Configured | Medium | Best Practices | β FAIL | Node OS upgrade channel is not configured, which may leave your node OS outdated and vulnerable. | https://learn.microsoft.com/en-us/azure/aks/auto-upgrade |
| BP005 | Ephemeral OS Disks Enabled | Medium | Best Practices | β FAIL | One or more agent pools are not using ephemeral OS disks, leading to slower disk performance and increased costs. | https://learn.microsoft.com/en-us/azure/aks/ephemeral-os-disks |
| BP001 | Allowed Container Images Policy Enforcement | High | Best Practices | β FAIL | The 'Only Allowed Images' policy is either missing or not enforcing deny mode, increasing the risk of running untrusted images. | https://learn.microsoft.com/en-us/azure/aks/azure-policy |
| NET001 | Authorized IP Ranges | High | Networking | β FAIL | No authorized IP ranges configured. This allows unrestricted access to the API server. | https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security#secure-access-to-the-api-server-and-cluster-nodes |
| NET003 | Web App Routing Enabled | Low | Networking | β FAIL | Web App Routing is not enabled, which may limit external access management. | https://learn.microsoft.com/en-us/azure/aks/web-app-routing |
| RES002 | AKS Built-in Cost Tooling Enabled | Medium | Resource Management | β FAIL | AKS built-in cost tooling (Open Costs) is not enabled, making cost allocation and optimization harder. | https://learn.microsoft.com/en-us/azure/aks/cost-management |
| SEC001 | Private Cluster | High | Security | β FAIL | Cluster API server is publicly accessible, increasing security risks. | https://learn.microsoft.com/en-us/azure/aks/private-clusters |
| BP010 | Customized MC_ Resource Group Name | Medium | Best Practices | β PASS | Customized MC_ Resource Group Name is enabled. | https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-resource-group |
| BP008 | Auto Upgrade Channel Configured | Medium | Best Practices | β PASS | Auto Upgrade Channel Configured is enabled. | https://learn.microsoft.com/en-us/azure/aks/auto-upgrade |
| BP007 | System Node Pool Taint | High | Best Practices | β PASS | System Node Pool Taint is enabled. | https://learn.microsoft.com/en-us/azure/aks/use-system-node-pools |
| BP006 | Non-Ephemeral Disks with Adequate Size | Medium | Best Practices | β PASS | Non-Ephemeral Disks with Adequate Size is enabled. | https://learn.microsoft.com/en-us/azure/aks/availability-zone-support |
| BP004 | Azure Linux as Host OS | High | Best Practices | β PASS | Azure Linux as Host OS is enabled. | https://learn.microsoft.com/en-us/azure/aks/use-azure-linux |
| BP003 | Multiple Node Pools | Medium | Best Practices | β PASS | Multiple Node Pools is enabled. | https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools |
| BP002 | No Privileged Containers Policy Enforcement | High | Best Practices | β PASS | No Privileged Containers Policy Enforcement is enabled. | https://learn.microsoft.com/en-us/azure/aks/azure-policy |
| DR001 | Agent Pools with Availability Zones | High | Disaster Recovery | β PASS | Agent Pools with Availability Zones is enabled. | https://learn.microsoft.com/en-us/azure/aks/availability-zones |
| DR002 | Control Plane SLA | Medium | Disaster Recovery | β PASS | Control Plane SLA is enabled. | https://azure.microsoft.com/en-us/pricing/details/kubernetes-service/ |
| IAM001 | RBAC Enabled | High | Identity & Access | β PASS | RBAC Enabled is enabled. | https://learn.microsoft.com/en-us/azure/aks/rbac |
| IAM002 | Managed Identity | High | Identity & Access | β PASS | Managed Identity is enabled. | https://learn.microsoft.com/en-us/azure/aks/use-managed-identity |
| IAM003 | Workload Identity Enabled | Medium | Identity & Access | β PASS | Workload Identity Enabled is enabled. | https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview |
| IAM004 | Managed Identity Used | High | Identity & Access | β PASS | Managed Identity Used is enabled. | https://learn.microsoft.com/en-us/azure/aks/use-managed-identity |
| IAM005 | AAD RBAC Authorization Integrated | High | Identity & Access | β PASS | AAD RBAC Authorization Integrated is enabled. | https://learn.microsoft.com/en-us/azure/aks/aad-integration |
| IAM006 | AAD Managed Authentication Enabled | High | Identity & Access | β PASS | AAD Managed Authentication Enabled is enabled. | https://learn.microsoft.com/en-us/azure/aks/aad-integration |
| IAM007 | Local Accounts Disabled | High | Identity & Access | β PASS | Local Accounts Disabled is enabled. | https://learn.microsoft.com/en-us/azure/aks/disable-local-accounts |
| MON002 | Managed Prometheus Enabled | High | Monitoring & Logging | β PASS | Managed Prometheus Enabled is enabled. | https://learn.microsoft.com/en-us/azure/azure-monitor/containers/prometheus-metrics |
| MON001 | Azure Monitor | High | Monitoring & Logging | β PASS | Azure Monitor is enabled. | https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-overview |
| NET004 | Azure CNI Networking Recommended | Medium | Networking | β PASS | Azure CNI Networking Recommended is enabled. | https://learn.microsoft.com/en-us/azure/aks/concepts-network#networking-options |
| NET002 | Network Policy Check | Medium | Networking | β PASS | Network Policy Check is enabled. | https://learn.microsoft.com/en-us/azure/aks/best-practices-network#implement-network-policies |
| RES001 | Cluster Autoscaler | Medium | Resource Management | β PASS | Cluster Autoscaler is enabled. | https://learn.microsoft.com/en-us/azure/aks/cluster-autoscaler |
| SEC005 | Azure Key Vault Integration | High | Security | β PASS | Azure Key Vault Integration is enabled. | https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver |
| SEC007 | Kubernetes Dashboard Disabled | High | Security | β PASS | Kubernetes Dashboard Disabled is enabled. | https://learn.microsoft.com/en-us/azure/aks/kubernetes-dashboard |
| SEC003 | Defender for Containers | High | Security | β PASS | Defender for Containers is enabled. | https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction |
| SEC006 | Image Cleaner Enabled | Medium | Security | β PASS | Image Cleaner Enabled is enabled. | https://learn.microsoft.com/en-us/azure/aks/image-cleaner |
| SEC002 | Azure Policy Add-on | Medium | Security | β PASS | Azure Policy Add-on is enabled. | https://learn.microsoft.com/en-us/azure/aks/policy-reference |
| SEC004 | OIDC Issuer Enabled | Medium | Security | β PASS | OIDC Issuer Enabled is enabled. | https://learn.microsoft.com/en-us/azure/aks/oidc-issuer |