Profile Applicability:
Level 2
Description:
When creating an Azure Kubernetes Service (AKS) cluster, enabling the Private Endpoint and disabling Public Access for the Kubernetes API server is a best practice to ensure that cluster management traffic is routed through a private network, improving the security of the control plane. This check ensures that AKS clusters are created with Private Endpoint enabled and Public Access disabled.
Rationale:
Using a private endpoint for the AKS control plane ensures that the Kubernetes API is accessible only through a private IP address within the Azure Virtual Network (VNet). This eliminates exposure to the public internet, reducing the risk of unauthorized access and enhancing the overall security of the cluster. Disabling public access ensures that only trusted networks can interact with the Kubernetes control plane.
Impact:
Pros:
Enhances security by limiting access to the control plane to trusted internal networks.
Reduces the attack surface by preventing public internet access to the Kubernetes API.
Cons:
May require additional network configuration, such as setting up VPNs or peering for remote access.
Might introduce operational challenges for accessing the cluster from external or untrusted networks.
Default Value:
By default, AKS clusters are created with public access enabled for the control plane. To use a private endpoint, it must be explicitly enabled during cluster creation.
Pre-requisites:
Ensure that your Azure VNet is properly configured for private access to the AKS control plane and that network security groups (NSGs) or other network controls are in place to enforce the access restrictions.
Remediation
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access Azure Kubernetes Service (AKS).
Review the API server access profile under Networking settings.
Verify that the Private Endpoint is enabled, and Public Access is disabled for the control plane.
Using Azure CLI:
Use the following command to check if the control plane is using a private endpoint and public access is disabled:
az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "apiServerAccessProfile"
Ensure that the privateCluster field is set to true and publicAccess is set to false.
Implementation Plan:
Using Azure Console:
In the Azure portal, create or modify your AKS cluster.
Under Networking settings, enable Private Endpoint for the AKS control plane.
Ensure that Public Access is disabled for the API server to restrict access to the control plane through the private network only.
Using Azure CLI:
To create a new AKS cluster with private endpoint enabled and public access disabled, run the following command:
az aks create --resource-group <resource-group-name> --name <aks-cluster-name> --enable-private-cluster --no-public-ip
If updating an existing AKS cluster, use the following command to disable public access:
az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --enable-private-cluster
Verify the settings using:
az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "apiServerAccessProfile"
Backout Plan:
Using Azure Console:
If enabling the private endpoint causes issues, revert the configuration in the Azure portal by disabling Private Endpoint and enabling Public Access.
Using Azure CLI
Revert the changes by enabling public access and disabling the private endpoint:
az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --disable-private-cluster
Verify that public access is enabled using:
az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "apiServerAccessProfile.publicAccess"