Restrict access to AKS API server endpoints#
Security · Azure Kubernetes Service · 2021_06
Restrict access to API server endpoints to authorized IP addresses.
Description#
In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities.
All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges.
Restricting authorized IP addresses for the API server as the following limitations:
- Requires AKS clusters configured with a Standard Load Balancer SKU.
- This feature is not compatible with clusters that use Public IP per Node.
When configuring this feature you must specify the IP address ranges that will be authorized.
To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32.
Recommendation#
Consider restricting network traffic to the API server endpoints to trusted IP addresses. Include output IP addresses for cluster nodes and any range where administration will occur from.
Examples#
Configure with Azure CLI#
az aks update -n '<name>' -g '<resource_group>' --api-server-authorized-ip-ranges '0.0.0.0/32'
Links#
- Network security
- Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)
- Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)
- Azure deployment reference