{"results":[{"id":"acr-admin-account-disabled-by-default","text":"The ACR admin account is disabled by default, has two independently regenerable passwords, and is not recommended for production or multi-user scenarios.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-admin-account-disabled-by-default-two-passwords","text":"ACR admin account is disabled by default, provides full push/pull access, has two independently regenerable passwords, and is not recommended for production or multi-user scenarios.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-service-principal-password-default-1-year","text":"ACR service principal passwords have a default expiry of 1 year.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-service-principal-password-default-expiry-1-year","text":"ACR service principal passwords have a default expiry of 1 year.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-api-server-public-by-default","text":"The AKS API server is public by default; access can be restricted via authorized IP ranges or by creating a private cluster.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-csi-default-1-21-intree-removed-1-26","text":"CSI drivers are default in AKS from Kubernetes 1.21; in-tree driver support removed from Kubernetes 1.26","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-custom-vnet-zero-trust-control-plane","text":"AKS custom VNet deployments inherit the Standard Load Balancer's zero-trust default-deny posture, requiring explicit NSG allowlisting of control plane ports (TCP 443, 4443 from cluster subnet to API server, TCP 9988 from Azure LB) — making AKS custom networking a manual allowlisting exercise where missing a single rule silently breaks cluster communication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-default-ephemeral-os-disk","text":"AKS defaults to ephemeral OS disks when the VM SKU supports them","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-default-namespaces-four","text":"AKS clusters include four default namespaces: `default`, `kube-node-lease`, `kube-public`, and `kube-system`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-default-os-ubuntu-linux","text":"The default operating system for AKS nodes is Ubuntu Linux; Azure Linux and Windows Server 2022 are also available as options.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-default-outbound-access-retirement-march-2026","text":"Default outbound internet access for AKS-managed VNet clusters retires March 31, 2026 (defaultOutboundAccess=false); BYO VNet clusters are unaffected.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-default-storage-class-managed-csi","text":"AKS default storage class is `managed-csi` backed by Standard SSD LRS","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-default-storage-classes-reconciled","text":"AKS reconciles built-in default storage classes — manual changes to them are overwritten by the platform.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-egress-unrestricted-by-default","text":"AKS clusters have unrestricted outbound internet access by default, but it can be restricted via outbound type configuration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-ephemeral-os-disk-requires-128gib-temp","text":"Ephemeral OS disk default sizing in AKS requires the VM SKU to have at least 128 GiB of temporary storage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-full-zero-trust-secrets-at-rest","text":"AKS achieves full zero-trust protection for secrets at rest when combining infrastructure-level network zero-trust (inherited from Azure's NSG/LB default-deny stack) with Key Vault's network-isolated defense-in-depth key lifecycle for external secret storage.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-managed-os-disk-sizing-by-vcpu","text":"AKS managed OS disk defaults scale by vCPU count: 1-7→P10/128G, 8-15→P15/256G, 16-63→P20/512G, 64+→P30/1024G","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-multi-az-zrs-default-k8s-1-29","text":"AKS multi-AZ clusters default to ZRS storage from Kubernetes 1.29","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-node-authorization-default-1-24","text":"Node authorization is enabled by default on AKS 1.24+, authorizing kubelet API requests to protect against East-West attacks.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-nodes-no-public-ip","text":"AKS nodes have no public IP addresses by default and are deployed to private subnets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":146,"limit":20,"offset":0}