iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the DenyServiceExternalIPs admission control is enabled in the Kubernetes API server configuration. This admission control restricts services from being assigned external IP addresses. Enabling this setting ensures that services cannot inadvertently expose themselves to the external network unless explicitly configured to do so, improving the cluster's security by preventing unauthorized or accidental exposure.

Rationale:

The DenyServiceExternalIPs admission control prevents the Kubernetes API server from allowing services to be assigned external IP addresses. This is important for preventing the accidental exposure of internal services to the external internet, which could lead to security vulnerabilities or unwanted traffic. By ensuring this setting is enabled, the cluster remains more secure and services are only exposed via controlled, intentional configurations.

Impact:

Pros:

• Prevents services from being exposed to external networks unless explicitly configured.
  

• Reduces the risk of accidental security exposures.
  

• Enhances overall security by limiting the scope of services accessible from the outside world.
  

Cons:

• Requires proper planning for services that need to be externally accessible, as this setting will prevent them from using external IPs unless configured appropriately.
  

Default Value:

By default, the DenyServiceExternalIPs admission control may not be enabled. It must be manually configured to enforce the restriction on external IP usage for services.

Pre-Requisites:

• Access to the Kubernetes API server configuration.
  

• Sufficient privileges (root or administrator access) to modify the API server flags.
  

• A Kubernetes environment where managing external IP exposure is a priority for security.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Clusters" section and locate your cluster.
   

4. Review the settings for the DenyServiceExternalIPs admission control in the API server configuration.
   

5. Ensure that the DenyServiceExternalIPs admission control is enabled.
   

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check for the presence of the DenyServiceExternalIPs admission control in the API server flags:

- --enable-admission-plugins=DenyServiceExternalIPs,...

2. Ensure that DenyServiceExternalIPs is included in the list of enabled admission plugins. If it is not, update the configuration to include it.
   

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Review the cluster's configuration for the DenyServiceExternalIPs admission control.
   

4. If the admission control is missing, update the API server configuration to enable it:
    --enable-admission-plugins=DenyServiceExternalIPs
   

5. Save and apply the changes to the Kubernetes API server configuration.
   

Using AWS CLI:

Modify the API server deployment by adding DenyServiceExternalIPs to the list of enabled admission plugins:

kubectl edit deployment -n kube-system kube-apiserver

1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
   

Add DenyServiceExternalIPs to the list of enabled admission plugins:

- --enable-admission-plugins=DenyServiceExternalIPs,...

3. Save and exit the editor to apply the changes.
   

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Locate the API server configuration.
   

4. If necessary, revert the change by removing DenyServiceExternalIPs from the list of enabled admission plugins.
   

5. Save and apply the changes to the Kubernetes API server configuration.
   

Using AWS CLI:

To revert the change, edit the API server deployment and remove DenyServiceExternalIPs from the enabled admission plugins:

kubectl edit deployment -n kube-system kube-apiserver

1. Update the deployment YAML to remove DenyServiceExternalIPs from the list of admission plugins.
   

2. Save and exit the editor to apply the changes.
   

References:

• Kubernetes Admission Controllers
  AWS EKS Documentation