Secure API Server using authorized IP address ranges

Kubernetes cluster master and node components

API Server receives requests to perform actions. The API server is the central way to interact with and manage a cluster. To improve cluster security and minimize attacks, there is a preview feature in AKS to limit access API server with a set of IP address ranges.

This feature needs Azure CLI version 2.0.61 or later, also, it only works with new AKS clusters. AKS extension has to be installed.

# Install the aks-preview extension

az extension add –name aks-preview

# Update the extension to make sure you have the latest version installed

az extension update –name aks-preview

Register feature

az feature register –name APIServerSecurityPreview –namespace Microsoft.ContainerService

To check if the extension is added.

az –version

To check the feature is registered.

az feature list -o table –query “[?contains(name, ‘Microsoft.ContainerService/APIServerSecurityPreview’)].{Name:name,State:properties.state}”

By default, the API server is assigned a public IP address, and you should control access using role-based access controls (RBAC). To secure access to the otherwise publicly accessible AKS control plane / API server, you can enable and use authorized IP ranges. These authorized IP ranges only allow defined IP address ranges to communicate with the API server. A request made to the API server from an IP address that is not part of these authorized IP ranges is blocked. You should continue to use RBAC to then authorize users and the actions they request.

The idea is to create an Azure firewall, all the nodes traffics are route to azure firewall by default, so the API server only allow the firewall outbound IP access will secure the traffic.

Enable authorized IP ranges:

az aks update \
     –resource-group myResourceGroup \
     –name myAKSCluster \
     –api-server-authorized-ip-ranges 20.42.25.196/32,172.0.0.0/16,168.10.0.0/18

Disable authorized IP range:

az aks update \
     –resource-group myResourceGroup \
     –name myAKSCluster \
     –api-server-authorized-ip-ranges “”

To check the current authorized IP range, please run “az aks show”

Please make sure you have installed required preview extension, otherwise, you can’t see

Annotation 2019-09-02 101712

发表评论

Fill in your details below or click an icon to log in:

WordPress.com 徽标

您正在使用您的 WordPress.com 账号评论。 注销 /  更改 )

Google photo

您正在使用您的 Google 账号评论。 注销 /  更改 )

Twitter picture

您正在使用您的 Twitter 账号评论。 注销 /  更改 )

Facebook photo

您正在使用您的 Facebook 账号评论。 注销 /  更改 )

Connecting to %s