Logo of Trend Micro

Disable Kubernetes Dashboard for ACK Clusters

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-ACK-004

Ensure that Kubernetes Dashboard (Dashboard WebUI) is disabled for your ACK clusters in order to enhance cluster security and prevent potential attack vectors. The Kubernetes Dashboard is a web-based user interface (UI) that provides a visual representation and management capabilities for Kubernetes clusters. It allows users to monitor and interact with the resources within the cluster, such as pods, deployments, and services, through a graphical interface rather than using command-line tools.

Security

It's generally recommended to disable the Kubernetes Dashboard when running on ACK clusters due to its security vulnerabilities and the potential for privileged escalation if compromised. The Kubernetes Dashboard runs with a highly privileged Kubernetes service account, granting it access to sensitive cluster resources. This makes it a prime target for attackers seeking to gain unauthorized control over the cluster.

Audit

To determine the Kubernetes Dashboard status for your ACK clusters, perform the following operations:

Getting Kubernetes Dashboard status and configuration information via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to examine, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under Applications, choose Helm to view the applications deployed on the selected cluster.

06 In the Helm section, check the Chart Name and Status columns for each deployed application. If kubernetes-dashboard is listed in the the Chart Name column and the kubernetes-dashboard application status is set to Deployed in the Status column, the Kubernetes Dashboard is enabled for the selected ACK cluster.

07 Repeat steps no. 4 – 6 for each Container Service for Kubernetes (ACK) cluster available within your Alibaba Cloud account.

Remediation / Resolution

To disable Kubernetes Dashboard (Dashboard WebUI) for your ACK clusters, perform the following operations:

Disabling Kubernetes Dashboard via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to configure, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under Applications, choose Helm to view the applications deployed on the selected cluster.

06 Choose the kubernetes-dashboard application from the Helm section and select Delete to disable Kubernetes Dashboard for the selected ACK cluster. In the Delete confirmation box, select Clear Release Records, and choose OK to apply the changes.

07 Repeat steps no. 4 – 6 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

References

Publication date Feb 21, 2024

Related AlibabaCloud-ACK rules