5.4.2 - Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)

Views:

Profile Applicability: Level 2

Disable access to the Kubernetes API from outside the node network if it is not required.

In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's virtual network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's virtual network.

Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publicly with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack. Unless required, disabling public endpoint will help prevent such threats, and require the attacker to be on the master's virtual network to perform any attack on the Kubernetes API.

Audit

Check for the following to be 'enabled: false':

export CLUSTER_NAME=<your cluster name>
export RESOURCE_GROUP=<your resource group name>
     
az aks show --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} 
--query "apiServerAccessProfile.enablePublicFqdn"

This command queries for the enablePublicFqdn property within the apiServerAccessProfile of your AKS cluster. The output will be true if endpointPublicAccess is enabled, allowing access to the AKS cluster API server from the internet. If it's false, endpointPublicAccess is disabled, meaning the API server is not accessible over the internet, which is a common configuration for private clusters.

Check for the following to be 'enabled: true':

az aks show --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} 
--query "apiServerAccessProfile.enablePrivateCluster"

This command queries the enablePrivateCluster property within the apiServerAccessProfile of your AKS cluster. If the output is true, it indicates that endpointPrivateAccess is enabled, and the AKS cluster API server is configured to be accessible only via a private endpoint. If the output is false, the cluster is not configured for private access only, and the API server might be accessible over the internet depending on other settings.

Remediation

To use a private endpoint, create a new private endpoint in your virtual network then create a link between your virtual network and a new private DNS zone.