Profile Applicability:
Level 1
Description:
The Kubernetes control plane is responsible for managing the cluster, including scheduling and controlling the state of the workloads. Restricting access to the control plane endpoint ensures that only authorized users or services can interact with the Kubernetes API server. This check ensures that access to the control plane endpoint is limited to trusted sources.
Rationale:
The control plane contains sensitive management functions for the cluster. Allowing unrestricted access to the control plane endpoint increases the risk of unauthorized access, potential configuration changes, and cluster manipulation. By restricting access to trusted IPs or services, you reduce the risk of malicious or accidental interference with the Kubernetes cluster.
Impact:
Pros:
Enhances security by limiting access to the control plane.
Reduces the risk of unauthorized access or attacks on critical cluster components.
Cons:
Requires additional configuration to define allowed IP addresses or networks.
If not correctly configured, it might block legitimate management or operational access.
Default Value:
By default, AKS allows unrestricted access to the Kubernetes API server from any IP address. However, access can be restricted using private clusters or by configuring authorized IP ranges.
Pre-requisites:
Ensure that you are using a private AKS cluster or have a network security group (NSG) or firewall rules in place to restrict access to the control plane endpoint.
Remediation
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the API server access profile settings to ensure that access to the control plane endpoint is restricted to trusted sources.
Check if the AKS cluster is using a private endpoint or a restricted IP range for controlling access to the control plane.
Using Azure CLI:
Use the following command to check if the control plane access is restricted to authorized IP addresses:
az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "apiServerAccessProfile.authorizedIPRanges"
Ensure that the result lists only trusted IP ranges, and no public IP access is allowed.
Implementation Plan:
Using Azure Console:
In the Azure portal, go to Azure Kubernetes Service (AKS) and access the API server access profile.
Enable Private Cluster mode to restrict access to the Kubernetes API server to a private IP address.
Under API Server Access, specify authorized IP ranges that can access the control plane.
Apply network security rules (NSGs or firewall rules) to restrict access to the Kubernetes API server endpoint to the specified IPs.
Using Azure CLI:
Create a private AKS cluster to restrict access to the control plane endpoint by running:
az aks create --resource-group <resource-group-name> --name <aks-cluster-name> --enable-private-cluster
Alternatively, restrict access to the control plane by specifying allowed IP ranges:
az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --api-server-authorized-ip-ranges <ip-range-1>,<ip-range-2>
Verify that the update was applied by running:
az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "apiServerAccessProfile.authorizedIPRanges"
Backout Plan:
Using Azure Console:
If restricting access to the control plane causes operational issues, revert the configuration in the Azure portal by allowing broader access or switching back to a public cluster.
Using Azure CLI:
Revert the access settings by removing the IP range restrictions:
az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --api-server-authorized-ip-ranges ""
If using a private cluster, you can revert to a public one by running:
az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --enable-public-cluster