C-0252 - Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
Prerequisites
Run Kubescape with host sensor (see here)
Framework
cis-aks-t1.2.0
Severity
High
Description of the the issue
In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's wirtual network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's virtual network.
Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publically with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack. Unless required, disabling public endpoint will help prevent such threats, and require the attacker to be on the master's virtual network to perform any attack on the Kubernetes API.
Related resources
What does this control test
Disable access to the Kubernetes API from outside the node network if it is not required.
How to check it manually
Remediation
To use a private endpoint, create a new private endpoint in your virtual network then create a link between your virtual network and a new private DNS zone
Impact Statement
Default Value
Example
No example
Updated 9 days ago