iCompaas Support

 Profile Applicability:

• Level 1
  

Description:
The proxy sub-resource of a node in Kubernetes allows users to access node-level services via the Kubernetes API. This check ensures that access to the proxy sub-resource of nodes is restricted to authorized users and service accounts to minimize the risk of unauthorized access to the underlying node's resources.

Rationale:
The proxy sub-resource can be used to expose node-level services to the Kubernetes cluster, potentially allowing unauthorized access to the node's network or control plane. Minimizing access to this sub-resource prevents users from bypassing security controls and reduces the risk of privilege escalation or exposure of sensitive node-level resources.

Impact:

Pros:

• Enhances security by limiting the ability to proxy access to node-level services.
  

• Prevents unauthorized users from accessing sensitive node data or performing unauthorized actions on nodes.
  

Cons:

• Some workloads or administrative tasks may require proxy access to nodes, and limiting this access may impact legitimate operational needs.
  

• Requires careful management of RBAC permissions to ensure only trusted users can access the proxy functionality.
  

Default Value:
 By default, access to the proxy sub-resource of nodes is not restricted by Kubernetes, and users with sufficient permissions can use the proxy feature to access node-level services.

Pre-requisites:
 Ensure that RBAC (Role-Based Access Control) is enabled and configured to limit access to the proxy sub-resource of nodes. Additionally, Admission Controllers should be configured to enforce these restrictions.

Test Plan:

Using Azure Console:

1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
   

2. Review the Access Control (IAM) settings to ensure that only trusted users or service accounts have the necessary permissions to use the proxy sub-resource of nodes.
   

3. Check if RBAC policies are in place to restrict access to the proxy sub-resource of nodes.
   

Using Azure CLI:

1. Use the following command to check for users with access to the proxy sub-resource of nodes

   kubectl get rolebindings --all-namespaces -o=jsonpath='{.items[*].subjects[*].name}'
   
   

2. Ensure that RBAC policies are configured to restrict the proxy access to trusted users only.
   

3. Use the following command to inspect the node proxy configurations:

   kubectl get nodes --all-namespaces -o=jsonpath='{.items[*].metadata.name}'
   
   

4. Verify that only users with the appropriate role bindings can access the node proxy.
   

Implementation Plan:

Using Azure Console:

1. In the Azure portal, navigate to Kubernetes Services and select your AKS cluster.
   

2. Under Access Control (IAM), configure Role-Based Access Control (RBAC) to restrict access to the proxy sub-resource of nodes.
   

Create custom RBAC roles that limit the ability to use the proxy sub-resource. For example:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: node-proxy-restricted
  namespace: <namespace-name>
rules:
- apiGroups: [""]
  resources: ["nodes/proxy"]
  verbs: ["get"]

3. Assign this role to trusted service accounts or users that need access to the node proxy.
   

4. Ensure that only authorized service accounts or users are granted access to proxy sub-resources by using RoleBinding.
   

Using Azure CLI:

Create a custom RBAC role to restrict access to the proxy sub-resource of nodes:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: node-proxy-restricted
  namespace: <namespace-name>
rules:
- apiGroups: [""]
  resources: ["nodes/proxy"]
  verbs: ["get"]

Apply the role using:

 kubectl apply -f node-proxy-restricted-role.yaml

Bind the RBAC role to trusted users or service accounts with a RoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: node-proxy-binding
  namespace: <namespace-name>
subjects:
- kind: User
  name: <user-name>  # Or "ServiceAccount"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: node-proxy-restricted
  apiGroup: rbac.authorization.k8s.io

Apply the RoleBinding:

 kubectl apply -f node-proxy-binding.yaml

Using Azure Console:

1. If restricting access to the proxy sub-resource of nodes causes issues with legitimate workloads, revert the changes in the Azure portal by modifying or removing the RoleBinding or Role.
   

Using Azure CLI:

To revert the changes, delete the RoleBinding and Role:

kubectl delete rolebinding node-proxy-binding --namespace=<namespace-name>
kubectl delete role node-proxy-restricted --namespace=<namespace-name>

References:

1. Kubernetes Node Proxy Documentation
   

2. Azure Kubernetes Service (AKS) Role-Based Access Control (RBAC)