Ensure that Azure Kubernetes Service (AKS) clusters are configured to use the API Server Authorized IP Address Ranges feature in order to limit which IP addresses and CIDRs can access the Kubernetes control plane.
The Kubernetes API server serves as the central component of the Kubernetes control plane, enabling you to effectively interact with and administer your clusters. To enhance cluster security and mitigate the possibility of attacks, we strongly recommend restricting the IP address ranges that can connect to the Kubernetes API server.
Audit
To determine if the access to the Kubernetes API server is restricted within your AKS clusters configuration, perform the following actions:
Remediation / Resolution
To secure access to the Kubernetes API server using authorized IP address ranges, perform the following actions:
References
- Azure Official Documentation
- Network concepts for applications in Azure Kubernetes Service (AKS)
- Best practices for network connectivity and security in Azure Kubernetes Service (AKS)
- Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)
- Azure PowerShell Documentation
- az aks list
- az aks show
- az aks create