-
Notifications
You must be signed in to change notification settings - Fork 0
AKS
aks is the managed-cluster triage command for Azure Kubernetes Service posture, exposure, and
identity cues.
Use it when you need to know which AKS clusters deserve review before node-level or Kubernetes-internal detail.
- Which clusters matter first?
- Which AKS platform most changes what an operator or attacker could reach next?
- Which clusters combine exposure, identity, or wider operational consequence in a way that matters now?
azurefox aks --output tableFor saved structured output:
azurefox aks --output json| cluster | version | endpoint | identity | auth | network |
|---|---|---|---|---|---|
aks-public-legacy |
k8s=1.27.9; pools=1; tier=Free |
private-api=no; fqdn |
ServicePrincipal; client-id=yes; workload-id=no |
aad=no; azure-rbac=no; local-accounts=enabled; oidc=no |
plugin=kubenet; outbound=loadBalancer; webapp-routing=no |
- when AKS may be acting as both infrastructure and application platform
- when you need to rank clusters before deeper Kubernetes-focused review
- when ingress, cluster identity, or Key Vault-linked addons make one platform stand out
- public API endpoints or
private_cluster_enabled=false - cluster identity and workload identity cues
- addons such as
azureKeyvaultSecretsProvider - signs that one cluster fronts many workloads or carries broader consequence
AKS can be both infrastructure and application platform at the same time.
A cluster with reachable control or workload paths, strong Azure identity adjacency, or central
networking can matter far more than a quiet internal cluster. aks helps you rank those platforms
before you get lost in Kubernetes-internal detail.
- visible exposure or ingress relevance
- managed identity or other strong Azure control-plane adjacency
- signs of higher operational centrality or wider hosted consequence
- enough context in one row to make the next follow-up clear
- If you see a public API endpoint or
private_cluster_enabled=false, go next to Endpoints because it surfaces the cluster-facing hostnames and other visible ingress paths around the platform. - If you see
cluster_identity_typeorworkload_identity_enabledcues, go next to Permissions because it shows whether that cluster identity already carries meaningful Azure roles. - If you see addons such as
azureKeyvaultSecretsProvider, go next to Keyvault because it shows the secret-management boundary the cluster is wired into.
- Start with the clusters that combine exposure, Azure identity, and wider hosted consequence.
- Treat AKS posture as a platform-level question first, then pivot into networking, identity, or secrets based on what stands out.
- Use this command to decide whether the next stop belongs in ingress, permissions, or supporting secret-management review.
aks is an AKS platform triage command.
It should rank the clusters that most deserve follow-up first. It is not full Kubernetes object inventory, pod-level analysis, or cluster-admin execution.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)