azure_ad_groupazure_ad_service_principalazure_ad_userazure_alert_managementazure_api_managementazure_api_management_backendazure_app_configurationazure_app_service_environmentazure_app_service_function_appazure_app_service_planazure_app_service_web_appazure_app_service_web_app_slotazure_application_gatewayazure_application_insightazure_application_security_groupazure_automation_accountazure_automation_variableazure_bastion_hostazure_batch_accountazure_cognitive_accountazure_compute_availability_setazure_compute_diskazure_compute_disk_accessazure_compute_disk_encryption_setazure_compute_disk_metric_read_opsazure_compute_disk_metric_read_ops_dailyazure_compute_disk_metric_read_ops_hourlyazure_compute_disk_metric_write_opsazure_compute_disk_metric_write_ops_dailyazure_compute_disk_metric_write_ops_hourlyazure_compute_imageazure_compute_resource_skuazure_compute_snapshotazure_compute_ssh_keyazure_compute_virtual_machineazure_compute_virtual_machine_metric_available_memoryazure_compute_virtual_machine_metric_available_memory_dailyazure_compute_virtual_machine_metric_available_memory_hourlyazure_compute_virtual_machine_metric_cpu_utilizationazure_compute_virtual_machine_metric_cpu_utilization_dailyazure_compute_virtual_machine_metric_cpu_utilization_hourlyazure_compute_virtual_machine_scale_setazure_compute_virtual_machine_scale_set_network_interfaceazure_compute_virtual_machine_scale_set_vmazure_consumption_usageazure_container_groupazure_container_registryazure_cosmosdb_accountazure_cosmosdb_mongo_collectionazure_cosmosdb_mongo_databaseazure_cosmosdb_restorable_database_accountazure_cosmosdb_sql_databaseazure_data_factoryazure_data_factory_datasetazure_data_factory_pipelineazure_data_lake_analytics_accountazure_data_lake_storeazure_databox_edge_deviceazure_databricks_workspaceazure_diagnostic_settingazure_dns_zoneazure_eventgrid_domainazure_eventgrid_topicazure_eventhub_namespaceazure_express_route_circuitazure_firewallazure_firewall_policyazure_frontdoorazure_hdinsight_clusterazure_healthcare_serviceazure_hpc_cacheazure_hybrid_compute_machineazure_hybrid_kubernetes_connected_clusterazure_iothubazure_iothub_dpsazure_key_vaultazure_key_vault_deleted_vaultazure_key_vault_keyazure_key_vault_key_versionazure_key_vault_managed_hardware_security_moduleazure_key_vault_secretazure_kubernetes_clusterazure_kubernetes_service_versionazure_kusto_clusterazure_lbazure_lb_backend_address_poolazure_lb_nat_ruleazure_lb_outbound_ruleazure_lb_probeazure_lb_ruleazure_locationazure_log_alertazure_log_profileazure_logic_app_workflowazure_machine_learning_workspaceazure_maintenance_configurationazure_management_groupazure_management_lockazure_mariadb_serverazure_monitor_activity_log_eventazure_monitor_log_profileazure_mssql_elasticpoolazure_mssql_managed_instanceazure_mssql_virtual_machineazure_mysql_flexible_serverazure_mysql_serverazure_nat_gatewayazure_network_interfaceazure_network_security_groupazure_network_watcherazure_network_watcher_flow_logazure_policy_assignmentazure_policy_definitionazure_postgresql_flexible_serverazure_postgresql_serverazure_private_dns_zoneazure_providerazure_public_ipazure_recovery_services_backup_jobazure_recovery_services_vaultazure_redis_cacheazure_resource_groupazure_resource_linkazure_role_assignmentazure_role_definitionazure_route_tableazure_search_serviceazure_security_center_auto_provisioningazure_security_center_automationazure_security_center_contactazure_security_center_jit_network_access_policyazure_security_center_settingazure_security_center_sub_assessmentazure_security_center_subscription_pricingazure_service_fabric_clusterazure_servicebus_namespaceazure_signalr_serviceazure_spring_cloud_serviceazure_sql_databaseazure_sql_serverazure_storage_accountazure_storage_blobazure_storage_blob_serviceazure_storage_containerazure_storage_queueazure_storage_share_fileazure_storage_syncazure_storage_tableazure_storage_table_serviceazure_stream_analytics_jobazure_subnetazure_subscriptionazure_synapse_workspaceazure_tenantazure_virtual_networkazure_virtual_network_gateway
Table: azure_kubernetes_cluster - Query Azure Kubernetes Services using SQL
Azure Kubernetes Service (AKS) is a managed container orchestration service provided by Microsoft Azure. AKS simplifies the deployment, scaling, and operations of Kubernetes, an open-source system for automating the deployment, scaling, and management of containerized applications. It provides developers with a scalable and highly available infrastructure that's ideal for deploying microservice apps.
Table Usage Guide
The azure_kubernetes_cluster table provides insights into each Kubernetes cluster within Azure Kubernetes Service (AKS). As a DevOps engineer, you can use this table to explore details about each cluster, including its configuration, health status, and performance metrics. This information can be useful for monitoring the state of your clusters, troubleshooting issues, and optimizing resource usage.
Examples
Basic Info
Analyze the settings to understand the fundamental details of your Azure Kubernetes clusters. This information can help you monitor and manage your clusters more effectively by providing insights into aspects such as their location, type, and SKU.
select name, id, location, type, skufrom azure_kubernetes_cluster;select name, id, location, type, skufrom azure_kubernetes_cluster;List clusters with a system assigned identity
Identify instances where your Azure Kubernetes clusters are using a system assigned identity. This is useful in managing and securing cluster resources, as system assigned identities allow Azure to automatically manage the credentials.
select name, id, location, type, identity ->> 'type' as identity_type, skufrom azure_kubernetes_clusterwhere identity ->> 'type' = 'SystemAssigned';select name, id, location, type, json_extract(identity, '$.type') as identity_type, skufrom azure_kubernetes_clusterwhere json_extract(identity, '$.type') = 'SystemAssigned';List clusters that have role-based access control (RBAC) disabled
Determine the areas in your Azure Kubernetes clusters where role-based access control (RBAC) is disabled. This can help enhance your security measures by identifying potential vulnerabilities and ensuring appropriate access controls are in place.
select name, id, location, type, identity, enable_rbac, skufrom azure_kubernetes_clusterwhere not enable_rbac;select name, id, location, type, identity, enable_rbac, skufrom azure_kubernetes_clusterwhere not enable_rbac;List clusters with an undesirable version (older than 1.20.5)
Identify instances where your clusters are running on an outdated version (older than 1.20.5) in Azure Kubernetes. This is beneficial for maintaining system security and performance by ensuring your clusters are up-to-date.
select name, id, location, type, kubernetes_versionfrom azure_kubernetes_clusterwhere kubernetes_version < '1.20.5';select name, id, location, type, kubernetes_versionfrom azure_kubernetes_clusterwhere kubernetes_version < '1.20.5';Query examples
- compute_disk_encryption_sets_for_kubernetes_cluster
- kubernetes_cluster_agent_pools
- kubernetes_cluster_auto_scaler_profile_disabled_count
- kubernetes_cluster_by_kubernetes_version
- kubernetes_cluster_by_region
- kubernetes_cluster_by_sku_name
- kubernetes_cluster_by_subscription
- kubernetes_cluster_count
- kubernetes_cluster_disk_unencrypted_count
- kubernetes_cluster_node_pool_count
- kubernetes_cluster_pod_security_policy_disabled_count
- kubernetes_cluster_public_access_disabled_count
- kubernetes_cluster_rbac_disabled_count
- kubernetes_cluster_tags
- kubernetes_cluster_version
Control examples
- Authorized IP ranges should be defined on Kubernetes Services
- Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters
- Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys
- Kubernetes cluster addon Azure policy should be enabled
- Kubernetes cluster nodes should prohibit public access
- Kubernetes cluster should restrict public access
- Kubernetes clusters HTTP application routing should be disabled
- Kubernetes clusters key vault secret rotation should be enabled
- Kubernetes clusters should have Azure network plugin
- Kubernetes clusters should have logging enabled
- Kubernetes clusters should have network policy enabled
- Kubernetes clusters should use a minimum number of 50 pods
- Kubernetes clusters should use standard SKU
- Kubernetes clusters upgrade channel should be configured
- Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
- Role-Based Access Control (RBAC) should be used on Kubernetes Services
- Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host
Schema for azure_kubernetes_cluster
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| aad_profile | jsonb | Profile of Azure Active Directory configuration. | |
| addon_profiles | jsonb | Profile of managed cluster add-on. | |
| agent_pool_profiles | jsonb | Properties of the agent pool. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| api_server_access_profile | jsonb | Access profile for managed cluster API server. | |
| auto_scaler_profile | jsonb | Parameters to be applied to the cluster-autoscaler when enabled. | |
| auto_upgrade_profile | jsonb | Profile of auto upgrade configuration. | |
| azure_portal_fqdn | text | FQDN for the master pool which used by proxy config. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| disk_encryption_set_id | text | ResourceId of the disk encryption set to use for enabling encryption at rest. | |
| dns_prefix | text | DNS prefix specified when creating the managed cluster. | |
| enable_pod_security_policy | boolean | Whether to enable Kubernetes pod security policy (preview). | |
| enable_rbac | boolean | Whether to enable Kubernetes Role-Based Access Control. | |
| fqdn | text | FQDN for the master pool. | |
| fqdn_subdomain | text | FQDN subdomain specified when creating private cluster with custom private dns zone. | |
| id | text | The ID of the cluster. | |
| identity | jsonb | The identity of the managed cluster, if configured. | |
| identity_profile | jsonb | Identities associated with the cluster. | |
| kubernetes_version | text | Version of Kubernetes specified when creating the managed cluster. | |
| linux_profile | jsonb | Profile for Linux VMs in the container service cluster. | |
| location | text | The location where the cluster is created. | |
| max_agent_pools | bigint | The max number of agent pools for the managed cluster. | |
| name | text | = | The name of the cluster. |
| network_profile | jsonb | Profile of network configuration. | |
| node_resource_group | text | Name of the resource group containing agent pool nodes. | |
| pod_identity_profile | jsonb | Profile of managed cluster pod identity. | |
| power_state | jsonb | Represents the Power State of the cluster. | |
| private_fqdn | text | FQDN of private cluster. | |
| provisioning_state | text | The current deployment or provisioning state. | |
| region | text | The Azure region/location in which the resource is located. | |
| resource_group | text | = | The resource group which holds this resource. |
| service_principal_profile | jsonb | Information about a service principal identity for the cluster to use for manipulating Azure APIs. | |
| sku | jsonb | The managed cluster SKU. | |
| subscription_id | text | The Azure Subscription ID in which the resource is located. | |
| tags | jsonb | A map of tags for the resource. | |
| title | text | Title of the resource. | |
| type | text | The type of the cluster. | |
| windows_profile | jsonb | Profile for Windows VMs in the container service cluster. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_kubernetes_cluster