RCE Due to Unpatched AKS Cluster Using 'None' Upgrade Channel in Azure Kubernetes Service

Critical Risk Infrastructure Security
azureakskubernetespatchingrcecve

What it is

Remote code execution (RCE) could occur if attackers exploit known vulnerabilities on outdated Kubernetes components lacking timely security patches.

Why it happens

Setting automatic_channel_upgrade to 'none' to maintain full manual control over cluster versions without understanding security implications.

Root causes

Manual Control Preference

Setting automatic_channel_upgrade to 'none' to maintain full manual control over cluster versions without understanding security implications.

Fear of Breaking Changes

Disabling automatic upgrades due to concerns about compatibility issues, without implementing a manual patching schedule.

Static Version Pinning

Pinning specific kubernetes_version values in infrastructure code and forgetting to update them regularly.

Fixes

1

Enable Stable Upgrade Channel

Set automatic_channel_upgrade to 'stable' to receive timely security patches with controlled rollout.

2

Configure Node OS Security Patches

Set node_os_channel_upgrade to 'SecurityPatch' to automatically apply OS-level security updates to cluster nodes.

3

Define Maintenance Windows

Use maintenance_window_auto_upgrade and maintenance_window_node_os to control when updates occur, reducing disruption risk.

Detect This Vulnerability in Your Code

Sourcery automatically identifies rce due to unpatched aks cluster using 'none' upgrade channel in azure kubernetes service and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities