Logo of Trend Micro

Disable Public Access to Kubernetes API Server

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: AlibabaCloud-ACK-008

Ensure that your ACK cluster's API server is not publicly accessible in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API server depends on your application use cases, however, for most use cases, the Kubernetes API Server should be accessible only from within your Virtual Private Cloud (VPC).

Security

If the Kubernetes API server is publicly accessible, any machine on the Internet can potentially connect to your ACK cluster using its public endpoint. This exposes your cluster to a higher risk of malicious activities and attacks. Restricting public access to the Kubernetes API server managed by the ACK cluster is a security best practice that helps protect your cluster from unauthorized access and potential security threats.

Audit

To determine if your ACK cluster's API server is publicly accessible, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to examine, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under the cluster name, choose Cluster information.

06 Choose the Basic Information tab and check the API server Public Endpoint attribute value to determine if the API server is configured with a public IP/EIP. If the API server Public Endpoint attribute has no value, the API server is private. If API server Public Endpoint is using a public IP/EIP, i.e. https://xxx.xxx.xxx.xxx:6443, the cluster's API server is publicly accessible.

07 Repeat steps no. 4 – 6 for each Container Service for Kubernetes (ACK) cluster available within your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run GET /clusters command (OSX/Linux/UNIX) to describe the configuration details for each Container Service for Kubernetes (ACK) cluster provisioned in your Alibaba Cloud account: 

aliyun cs GET /clusters
  --header "Content-Type=application/json;"
  --body "{}"

02 The command output should return the configuration information available for each available ACK cluster (including the API server endpoint): 

[
	{
		"cluster_id": "abcd1234abcd1234abcd1234abcd1234a",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-02-05T17:44:26+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"updated": "2024-02-05T17:46:49+08:00",
		"zone_id": "eu-west-1a",

		...

		"master_url": "{\"api_server_endpoint\":\"https://xxx.xxx.xxx.xxx:6443\",\"intranet_api_server_endpoint\":\"https://172.23.38.230:6443\"}"
	},
	{
		"cluster_id": "1234abcd1234abcd1234abcd1234abcd1",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-02-05T16:40:31+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"subnet_cidr": "10.65.0.0/16",
		"updated": "2024-02-05T16:42:53+08:00",
		"zone_id": "eu-west-1a",

		...

		"master_url": "{\"api_server_endpoint\":\"https://xxx.xxx.xxx.xxx:6443\",\"intranet_api_server_endpoint\":\"https://172.23.38.230:6443\"}",
	}
]

Check the "master_url.api_server_endpoint" attribute value for each provisioned ACK cluster to determine if the API server is configured with a public IP/EIP. If "master_url.api_server_endpoint" is set to a public IP/EIP, i.e. https://xxx.xxx.xxx.xxx:6443, the cluster's API server is publicly accessible.

Remediation / Resolution

To disable public network access to your ACK cluster's API server, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to configure, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under the cluster name, choose Cluster information.

06 Select the Basic Information tab and choose Disassociate EIP next to API server Public Endpoint to disassociate the public IP/EIP from your Kubernetes API server. Choose Confirm to apply the changes. The API server restarts after you disassociate the public IP/EIP. Once you disassociate the EIP, the API server cannot be accessed over the Internet.

07 Repeat steps no. 4 – 6 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run PUT /clusters/[cluster_id] command (OSX/Linux/UNIX) to modify the specified ACK cluster in order to disassociate the public IP/EIP from your Kubernetes API server. Set the "api_server_eip" parameter value to false, as shown in the example below, to disassociate the IP/EIP associated with the selected cluster: 

aliyun cs PUT /clusters/abcd1234abcd1234abcd1234abcd1234a
  --header "Content-Type=application/json;"
  --body "{\"api_server_eip\":false}"

02 The output should return the ID of the modified ACK cluster, e.g.: 

{
	"cluster_id": "1234abcd1234abcd1234abcd1234abcd1",
	"instanceId": "ad1234abcd123abcd1234abcd1234abcd1",
	"request_id": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"task_id": "T-abcdabcdabcdabcdabcdabcd"
}

03 Repeat steps no. 1 and 2 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

References

Publication date Feb 22, 2024

Related AlibabaCloud-ACK rules