Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Secure Access to Kubernetes API Server Using Authorized IP Address Ranges

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Azure Kubernetes Service (AKS) clusters are configured to use the API Server Authorized IP Address Ranges feature in order to limit which IP addresses and CIDRs can access the Kubernetes control plane.

Security

The Kubernetes API server serves as the central component of the Kubernetes control plane, enabling you to effectively interact with and administer your clusters. To enhance cluster security and mitigate the possibility of attacks, we strongly recommend restricting the IP address ranges that can connect to the Kubernetes API server.


Audit

To determine if the access to the Kubernetes API server is restricted within your AKS clusters configuration, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Kubernetes service and choose Apply to list the Azure Kubernetes Service (AKS) clusters available in the selected subscription.

05 Click on the name (link) of the AKS cluster that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking settings configured for the selected AKS cluster.

07 Under Security, check the Set authorized IP ranges configuration setting. If the Set authorized IP ranges setting checkbox is not selected, the feature is disabled, therefore the selected Azure Kubernetes Service (AKS) cluster is not configured to secure access to the Kubernetes API server using authorized IP address ranges.

08 Repeat steps no. 5 – 7 for each AKS cluster provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run aks list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the current subscription:

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested AKS cluster names:

Name                     ResourceGroup
----------------------   ------------------------------
cc-project5-aks-cluster  cloud-shell-storage-westeurope
cc-data-mining-cluster   cloud-shell-storage-westeurope

03 Run aks show command (Windows/macOS/Linux) using the name of the AKS cluster that you want to examine and its associated resource group as the identifier parameters to describe the IP address range authorized to access the Kubernetes API server, configured for the selected AKS cluster:

az aks show
  --name cc-project5-aks-cluster
  --resource-group cloud-shell-storage-westeurope
  --query 'apiServerAccessProfile.authorizedIpRanges'

The aks show command output should return the authorized IP address range configured for the AKS cluster. If the command does not produce an output, the selected Azure Kubernetes Service (AKS) cluster is not configured to secure access to the Kubernetes API server using authorized IP address ranges.

04 Repeat step no. 3 for each AKS cluster available within the current Azure subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To secure access to the Kubernetes API server using authorized IP address ranges, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Kubernetes service and choose Apply to list the Azure Kubernetes Service (AKS) clusters available in the selected subscription.

05 Click on the name (link) of the AKS cluster that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking settings configured for the selected AKS cluster.

07 Under Security, select the Set authorized IP ranges setting checkbox to enable the API Server Authorized IP Address Ranges feature. For

08 For Specify IP ranges, provide an IPv4 address range using CIDR notation (e.g. 10.0.15.0/24), or an IP address (e.g. 10.0.15.30). You can also provide a comma-separated list of IP addresses or address ranges.

09 Choose Apply to save the configuration changes.

10 Repeat steps no. 5 – 9 for each AKS cluster provisioned in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run aks update command (OSX/Linux/UNIX) using the name of the cluster that you want to configure as the identifier parameter, to update the API server authorized IP ranges for the selected AKS cluster. You can also use the 0.0.0.0/32 CIDR when configuring the --api-server-authorized-ip-ranges parameter to allow only the public IP of the Standard SKU load balancer:

az aks update
  --name cc-project5-aks-cluster
  --resource-group cloud-shell-storage-westeurope
  --api-server-authorized-ip-ranges 10.0.15.0/24

02 Once the update process is completed, the command output should return the information available for the modified AKS cluster:

{
	"aadProfile": {
		"adminGroupObjectIds": [
			"abcd1234-abcd-1234-abcd-1234abcd1234"
		],
		"clientAppId": null,
		"managed": true,
		"serverAppId": null,
		"serverAppSecret": null,
		"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd"
	},
	"apiServerAccessProfile": null,
	"autoUpgradeProfile": {
		"upgradeChannel": "none"
	},
	"identity": {
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
		"type": "SystemAssigned",
		"userAssignedIdentities": null
	},
	"azureMonitorProfile": null,
	"currentKubernetesVersion": "1.26.3",
	"disableLocalAccounts": false,
	"diskEncryptionSetId": null,
	"dnsPrefix": "cc-project5-aks-cluster-dns",
	"enablePodSecurityPolicy": null,
	"enableRbac": true,
	"extendedLocation": null,
	"fqdn": "cc-project5-aks-cluster-dns-abcd1234.hcp.westeurope.azmk8s.io",
	"fqdnSubdomain": null,
	"httpProxyConfig": null,
	"kubernetesVersion": "1.26.3",
	"linuxProfile": null,
	"location": "westeurope",
	"maxAgentPools": 100,
	"name": "cc-project5-aks-cluster",
	"nodeResourceGroup": "MC_cloud-shell-storage-westeurope_cc-project5-aks-cluster_westeurope",
	"oidcIssuerProfile": {
		"enabled": false,
		"issuerUrl": null
	},
	"apiServerAccessProfile": {
		"authorizedIpRanges": [
			"10.0.15.0/24"
		],
		"disableRunCommand": null,
		"enablePrivateCluster": null,
		"enablePrivateClusterPublicFqdn": null,
		"privateDnsZone": null
	},
	"podIdentityProfile": null,
	"powerState": {
		"code": "Running"
	},
	"privateFqdn": null,
	"privateLinkResources": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"securityProfile": {
		"azureKeyVaultKms": null,
		"defender": null,
		"imageCleaner": null,
		"workloadIdentity": null
	},
	"servicePrincipalProfile": {
		"clientId": "msi",
		"secret": null
	},
	"sku": {
		"name": "Base",
		"tier": "Free"
	},
	"storageProfile": {
		"blobCsiDriver": null,
		"diskCsiDriver": {
			"enabled": true
		},
		"fileCsiDriver": {
			"enabled": true
		},
		"snapshotController": {
			"enabled": true
		}
	},
	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"tags": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"windowsProfile": null,
	"workloadAutoScalerProfile": {
		"keda": null
	}
}

03 Repeat steps no. 1 and 2 for each Azure Kubernetes Service cluster that you want to configure, available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 9, 2023