RCE due to unpatched AKS cluster using 'None' upgrade channel

Critical Risk infrastructure-security
azureakskubernetespatch-managementsecurity-updatesrcevulnerability-managementterraform

What it is

Azure Kubernetes Service (AKS) clusters configured with automatic upgrade channel set to 'None' or no upgrade channel miss critical security patches and vulnerability fixes. This leaves Kubernetes components vulnerable to known exploits that could lead to remote code execution and cluster compromise.

# VULNERABLE: AKS with no automatic upgrades
resource "azurerm_kubernetes_cluster" "vulnerable_aks" {
  name                = "vulnerable-aks-cluster"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  dns_prefix          = "vulnerable-aks"
  
  # VULNERABLE: No automatic upgrades
  automatic_channel_upgrade = "none"
  
  # Static version without updates
  kubernetes_version = "1.24.0"
  
  default_node_pool {
    name       = "default"
    node_count = 2
    vm_size    = "Standard_B2s"
  }
  
  identity {
    type = "SystemAssigned"
  }
  
  tags = {
    environment = "production"
  }
}

# VULNERABLE: Missing upgrade channel
resource "azurerm_kubernetes_cluster" "vulnerable_no_config" {
  name                = "prod-aks-cluster"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  dns_prefix          = "prod-aks"
  
  # VULNERABLE: No automatic_channel_upgrade specified
  
  default_node_pool {
    name       = "system"
    node_count = 3
    vm_size    = "Standard_D4s_v3"
  }
  
  identity {
    type = "SystemAssigned"
  }
}
# SECURE: AKS with automatic upgrades
resource "azurerm_kubernetes_cluster" "secure_aks" {
  name                = "secure-aks-cluster"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  dns_prefix          = "secure-aks"
  
  # SECURE: Enable automatic upgrades
  # Options: "stable", "rapid", "patch", "node-image"
  automatic_channel_upgrade = "stable"
  
  kubernetes_version = "1.28.5"
  
  default_node_pool {
    name       = "system"
    node_count = 3
    vm_size    = "Standard_D4s_v3"
    
    upgrade_settings {
      max_surge = "10%"
    }
  }
  
  identity {
    type = "SystemAssigned"
  }
  
  # Optional: Control upgrade timing
  maintenance_window {
    allowed {
      day   = "Sunday"
      hours = [2, 3, 4]
    }
  }
  
  tags = {
    environment  = "production"
    auto_upgrade = "enabled"
  }
}

💡 Why This Fix Works

The vulnerable configurations set automatic_channel_upgrade to 'none' or omit it entirely, preventing automatic security patches and leaving clusters vulnerable to known exploits. The secure versions enable automatic upgrades with 'stable' (balanced updates), 'rapid' (fastest updates for dev), or 'patch' (minor patches only for conservative prod), ensuring timely security fixes while allowing control over upgrade timing through maintenance windows.

Why it happens

AKS clusters configured with automatic_channel_upgrade set to 'none', explicitly disabling automatic security patches and version updates. This forces manual upgrades which teams may delay or forget, leaving clusters exposed to known vulnerabilities.

Root causes

Explicitly Disabled Automatic Upgrades

AKS clusters configured with automatic_channel_upgrade set to 'none', explicitly disabling automatic security patches and version updates. This forces manual upgrades which teams may delay or forget, leaving clusters exposed to known vulnerabilities.

Missing Upgrade Channel Configuration

Terraform configurations omit the automatic_channel_upgrade parameter entirely. Without explicit configuration, clusters may not receive timely security updates, leaving Kubernetes components vulnerable to publicly disclosed exploits.

Manual Update Strategy Without Discipline

Teams prefer manual control over cluster upgrades but fail to establish and follow rigorous patching schedules. Manual updates are delayed due to operational priorities, leaving security patches unapplied for extended periods.

Legacy Configuration Patterns

Older AKS deployment templates and configuration patterns predate automatic upgrade channels or explicitly disable them. These legacy patterns persist through copy-paste or organizational templates without security review.

Inadequate Patch Management Processes

Organizations lack formal patch management processes for Kubernetes infrastructure. No procedures ensure timely application of critical security patches, and clusters run outdated versions with known CVEs.

Fixes

1

Enable Stable or Rapid Upgrade Channel

Set automatic_channel_upgrade to 'stable' for balanced security and stability in production, or 'rapid' for development environments that need the latest features. This ensures your cluster automatically receives security patches and version updates.

2

Automatic Security Patch Application

Configure automatic upgrades to ensure critical security patches and bug fixes are applied promptly without manual intervention. This reduces the window of exposure for known Kubernetes vulnerabilities and CVEs.

3

Configure Maintenance Windows

Use the maintenance_window configuration to control when automatic upgrades occur. Schedule upgrades during low-traffic periods (e.g., Sunday early morning) to minimize impact while maintaining security through timely patching.

4

Use Patch Channel for Conservative Deployments

For production environments requiring maximum stability, use automatic_channel_upgrade = 'patch' which applies only minor version patches and security fixes without major version upgrades, balancing security with change management.

5

Implement Security Advisory Monitoring

If manual upgrades are absolutely required, establish processes to monitor Kubernetes security advisories (CVE feeds, Azure security bulletins) and apply patches within defined SLAs. Use automated scanning to identify vulnerable cluster versions.

Detect This Vulnerability in Your Code

Sourcery automatically identifies rce due to unpatched aks cluster using 'none' upgrade channel and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities