Ensure that you are using authorized IP address ranges to secure access to the API server

In Kubernetes, the API server receives requests to perform actions in the cluster such as to create resources or scale the number of nodes. The API server is the central way to interact with and manage a cluster. To improve cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges.

Risk Level: High
Cloud Entity: Azure AKS
CloudGuard Rule ID: D9.AZU.NET.30
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

AksCluster should have properties.apiServerAccessProfile.authorizedIPRanges

REMEDIATION

API server authorized IP ranges only work for new AKS clusters and are not supported for private AKS clusters.

To create a cluster with API server authorized IP ranges enabled : https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges?ocid=AID754288&wt.mc_id=CFID0533#create-an-aks-cluster-with-api-server-authorized-ip-ranges-enabled

To update a cluster's API server authorized IP ranges : https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges?ocid=AID754288&wt.mc_id=CFID0533#update-a-clusters-api-server-authorized-ip-ranges

Azure AKS

AKS is an open-source fully managed container orchestration service that became available in June 2018 and is available on the Microsoft Azure public cloud that can be used to deploy, scale and manage Docker containers and container-based applications in a cluster environment.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset