feat: Add security queries for AKS configurations and tests

Author: GeekMasher

ql/lib/codeql/bicep/frameworks/Microsoft/AKS.qll

@@ -295,6 +295,10 @@ module AKS {
        */
       Boolean getEnabled() { result = this.getProperty("enabled") }
 
+      boolean enabled() {
+        result = this.getEnabled().getBool()
+      }
+
       string toString() { result = "AddonKubeDashboard" }
     }
 

ql/src/security/AKS/AKSKubeDashboardEnabled.ql

@@ -0,0 +1,18 @@
+/**
+ * @name AKS cluster with kubeDashboard enabled
+ * @description Detects Azure Kubernetes Service (AKS) clusters where the kubeDashboard addon is enabled (insecure configuration).
+ * @kind problem
+ * @problem.severity warning
+ * @id bicep/aks-kubedashboard-enabled
+ * @tags security, kubernetes, azure, aks
+ */
+import codeql.bicep.frameworks.Microsoft.AKS
+
+from AKS::ManagedContainerResource r, 
+     AKS::ManagedContainerProperties::AddonProfiles addons, 
+     AKS::ManagedContainerProperties::AddonKubeDashboard dashboard
+where
+  addons = r.getProperties().getAddonProfiles() and
+  dashboard = addons.getKubeDashboard() and
+  dashboard.enabled() = true
+select r, "AKS cluster has kubeDashboard addon enabled (insecure configuration)."

ql/src/security/AKS/AKSPrivateApiEnabled.ql

@@ -0,0 +1,18 @@
+/**
+ * @name AKS cluster with private API server enabled
+ * @description Detects Azure Kubernetes Service (AKS) clusters where the API server is private (private cluster enabled).
+ * @kind problem
+ * @problem.severity recommendation
+ * @id bicep/aks-private-api-server-enabled
+ * @tags security
+ *       kubernetes
+ *       azure
+ */
+import codeql.bicep.frameworks.Microsoft.AKS
+
+from AKS::ManagedContainerResource r, 
+     AKS::ManagedContainerProperties::ApiServerAccessProfile api
+where
+  api = r.getProperties().getApiServerAccessProfile() and
+  api.enablePrivateCluster() = true
+select r, "AKS cluster API server is private (private cluster enabled)."

ql/src/security/AKS/AKSPublicApi.ql

@@ -0,0 +1,22 @@
+/**
+ * @name AKS cluster with public API server
+ * @description Detects Azure Kubernetes Service (AKS) clusters where the API server is publicly accessible (private cluster not enabled).
+ * @kind problem
+ * @problem.severity warning
+ * @id bicep/aks-public-api-server
+ * @tags security
+ *       azure
+ *       kubernetes
+ */
+import bicep
+
+from AKS::ManagedContainerResource r, 
+     AKS::ManagedContainerProperties::ApiServerAccessProfile api
+where
+  api = r.getProperties().getApiServerAccessProfile() and
+  (
+    // enablePrivateCluster is missing or set to false
+    not exists(api.getEnablePrivateCluster()) or
+    api.enablePrivateCluster() = false
+  )
+select r, "AKS cluster API server is publicly accessible (private cluster not enabled)."

ql/test/queries-tests/security/AKS/AKSKubeDashboardEnabled.expected

@@ -0,0 +1 @@
+| aks-security-examples.bicep:2:1:30:1 | ManagedContainerResource | AKS cluster has kubeDashboard addon enabled (insecure configuration). |

ql/test/queries-tests/security/AKS/AKSKubeDashboardEnabled.qlref

@@ -0,0 +1 @@
+security/AKS/AKSKubeDashboardEnabled.ql

ql/test/queries-tests/security/AKS/AKSPrivateApiEnabled.expected

@@ -0,0 +1 @@
+| aks-security-examples.bicep:32:1:62:1 | ManagedContainerResource | AKS cluster API server is private (private cluster enabled). |

ql/test/queries-tests/security/AKS/AKSPrivateApiEnabled.qlref

@@ -0,0 +1 @@
+security/AKS/AKSPrivateApiEnabled.ql

ql/test/queries-tests/security/AKS/AKSPublicApi.expected

@@ -0,0 +1,2 @@
+| aks-security-examples.bicep:2:1:30:1 | ManagedContainerResource | AKS cluster API server is publicly accessible (private cluster not enabled). |
+| aks-security-examples.bicep:32:1:62:1 | ManagedContainerResource | AKS cluster API server is publicly accessible (private cluster not enabled). |

ql/test/queries-tests/security/AKS/AKSPublicApi.qlref

@@ -0,0 +1 @@
+security/AKS/AKSPublicApi.ql

ql/test/queries-tests/security/AKS/aks-security-examples.bicep

@@ -0,0 +1,62 @@
+// Example Bicep file with AKS security issues for CodeQL testing
+resource insecureAks 'Microsoft.ContainerService/managedClusters@2023-01-01' = {
+  name: 'aks-insecure-public'
+  location: 'eastus'
+  properties: {
+    kubernetesVersion: '1.25.6' // Outdated version
+    dnsPrefix: 'aks-public'
+    agentPoolProfiles: [
+      {
+        name: 'agentpool'
+        count: 1
+        vmSize: 'Standard_DS2_v2'
+        osType: 'Linux'
+        mode: 'System'
+        enableAutoScaling: false // No autoscaling
+      }
+    ]
+    networkProfile: {
+      networkPlugin: 'azure'
+    }
+    apiServerAccessProfile: {
+      enablePrivateCluster: false // Public API server
+    }
+    addonProfiles: {
+      kubeDashboard: {
+        enabled: true // Insecure: dashboard enabled
+      }
+    }
+  }
+}
+
+resource secureAks 'Microsoft.ContainerService/managedClusters@2023-01-01' = {
+  name: 'aks-secure-private'
+  location: 'eastus'
+  properties: {
+    kubernetesVersion: '1.28.3' // Supported version
+    dnsPrefix: 'aks-private'
+    agentPoolProfiles: [
+      {
+        name: 'agentpool'
+        count: 3
+        vmSize: 'Standard_DS2_v2'
+        osType: 'Linux'
+        mode: 'System'
+        enableAutoScaling: true
+        minCount: 1
+        maxCount: 5
+      }
+    ]
+    networkProfile: {
+      networkPlugin: 'azure'
+    }
+    apiServerAccessProfile: {
+      enablePrivateCluster: true // Private API server
+    }
+    addonProfiles: {
+      kubeDashboard: {
+        enabled: false // Secure: dashboard disabled
+      }
+    }
+  }
+}