Views:
Profile Applicability: Level 1
Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes with no public IP addresses.
Disabling public IP addresses on cluster nodes restricts access to only internal networks, forcing attackers to obtain local network access before attempting to compromise the underlying Kubernetes hosts.

Impact

To enable Private Nodes, the cluster has to also be configured with a private master IP range and IP Aliasing enabled.
Private Nodes do not have outbound access to the public internet. If you want to provide outbound Internet access for your private nodes, you can use Cloud NAT or you can manage your own NAT gateway.

Audit

Check for the following to be 'enabled: true':
export CLUSTER_NAME=<your cluster name>
export RESOURCE_GROUP=<your resource group name> 

az aks show --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} 
--query "apiServerAccessProfile.enablePrivateCluster"

Remediation

az aks create \
--resource-group <private-cluster-resource-group> \
--name <private-cluster-name> \
--load-balancer-sku standard \
--enable-private-cluster \
--network-plugin azure \
--vnet-subnet-id <subnet-id> \
--docker-bridge-address \
--dns-service-ip \
--service-cidr
Where --enable-private-cluster is a mandatory flag for a private cluster.