C-0248 - Ensure clusters are created with Private Nodes
Prerequisites
Run Kubescape with host sensor (see here)
Framework
cis-aks-t1.2.0
Severity
High
Description of the the issue
Disabling public IP addresses on cluster nodes restricts access to only internal networks, forcing attackers to obtain local network access before attempting to compromise the underlying Kubernetes hosts.
Related resources
What does this control test
Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes with no public IP addresses.
How to check it manually
Remediation
az aks create \
--resource-group <private-cluster-resource-group> \
--name <private-cluster-name> \
--load-balancer-sku standard \
--enable-private-cluster \
--network-plugin azure \
--vnet-subnet-id <subnet-id> \
--docker-bridge-address \
--dns-service-ip \
--service-cidr
Where --enable-private-cluster
is a mandatory flag for a private cluster.
Impact Statement
To enable Private Nodes, the cluster has to also be configured with a private master IP range and IP Aliasing enabled.
Private Nodes do not have outbound access to the public internet. If you want to provide outbound Internet access for your private nodes, you can use Cloud NAT or you can manage your own NAT gateway.
Default Value
Example
No example
Updated 9 days ago