C-0247 - Restrict Access to the Control Plane Endpoint

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-aks-t1.2.0

Severity

High

Description of the the issue

Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your cluster's control plane. Kubernetes Engine uses both Transport Layer Security (TLS) and authentication to provide secure access to your cluster's control plane from the public internet. This provides you the flexibility to administer your cluster from anywhere; however, you might want to further restrict access to a set of IP addresses that you control. You can set this restriction by specifying an authorized network.

Restricting access to an authorized network can provide additional security benefits for your container cluster, including:

  • Better protection from outsider attacks: Authorized networks provide an additional layer of security by limiting external access to a specific set of addresses you designate, such as those that originate from your premises. This helps protect access to your cluster in the case of a vulnerability in the cluster's authentication or authorization mechanism.
  • Better protection from insider attacks: Authorized networks help protect your cluster from accidental leaks of master certificates from your company's premises. Leaked certificates used from outside Azure virtual machines and outside the authorized IP ranges (for example, from addresses outside your company) are still denied access.

Related resources

What does this control test

Enable Endpoint Private Access to restrict access to the cluster's control plane to only an allowlist of authorized IPs.

How to check it manually

Remediation

Impact Statement

When implementing Endpoint Private Access, be careful to ensure all desired networks are on the allowlist (whitelist) to prevent inadvertently blocking external access to your cluster's control plane.

Limitations
IP authorized ranges can't be applied to the private api server endpoint, they only apply to the public API server
Availability Zones are currently supported for certain regions.
Azure Private Link service limitations apply to private clusters.
No support for Azure DevOps Microsoft-hosted Agents with private clusters. Consider to use Self-hosted Agents.
For customers that need to enable Azure Container Registry to work with private AKS, the Container Registry virtual network must be peered with the agent cluster virtual network.

Default Value

By default, Endpoint Private Access is disabled.

Example

No example