C-0248 - Ensure clusters are created with Private Nodes

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-aks-t1.2.0

Severity

High

Description of the the issue

Disabling public IP addresses on cluster nodes restricts access to only internal networks, forcing attackers to obtain local network access before attempting to compromise the underlying Kubernetes hosts.

Related resources

What does this control test

Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes with no public IP addresses.

How to check it manually

Remediation

az aks create \
--resource-group <private-cluster-resource-group> \
--name <private-cluster-name> \
--load-balancer-sku standard \
--enable-private-cluster \
--network-plugin azure \
--vnet-subnet-id <subnet-id> \
--docker-bridge-address \
--dns-service-ip \
--service-cidr 

Where --enable-private-cluster is a mandatory flag for a private cluster.

Impact Statement

To enable Private Nodes, the cluster has to also be configured with a private master IP range and IP Aliasing enabled.

Private Nodes do not have outbound access to the public internet. If you want to provide outbound Internet access for your private nodes, you can use Cloud NAT or you can manage your own NAT gateway.

Default Value

Example

No example