Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Kubernetes API Public Endpoint

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that public access to the Kubernetes API is disabled for your OCI Kubernetes Engine (OKE) clusters so that the access is made through a private endpoint. In OKE, a private endpoint is represented as a private IP address within a subnet in your VCN. This significantly reduces the cluster's attack surface by preventing direct access from the public internet, which is critical for security and compliance.

Security

In a private cluster, the control plane often utilizes both a private endpoint for internal node communication within the Virtual Cloud Network (VCN) and an optional public endpoint for external API access. While authentication is enforced, exposing the public endpoint allows attackers to perform reconnaissance, such as identifying the Kubernetes API version, which can reveal potential vulnerabilities. Therefore, disabling the public endpoint to the Kubernetes API when not strictly needed is a critical security measure to reduce the attack surface and prevent unauthorized external exposure.

Audit

To determine if public access to the Kubernetes API is disabled for your OKE clusters, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Kubernetes Clusters (OKE) console available at https://cloud.oracle.com/containers/clusters.

  3. For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the OCI Kubernetes Engine (OKE) clusters provisioned in the selected compartment.

  4. Click on the name (link) of the OCI Kubernetes Engine (OKE) cluster that you want to examine, listed in the Name column.

  5. Select the Cluster details tab and check the Kubernetes API public endpoint attribute value, listed in the Network information section. If the Kubernetes API public endpoint value contains a public IP address, i.e., \<public-ip-address\>:\<port-number\>, the public access to the Kubernetes API is not disabled for the selected OKE OCI Kubernetes Engine (OKE) cluster.

  6. Repeat steps no. 4 and 5 for each OKE cluster provisioned within the selected OCI compartment.

  7. Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster get command (Windows/macOS/Linux) with the ID of the OKE cluster that you want to examine as the identifier parameter, to determine if public access to the Kubernetes API is disabled for the selected OKE cluster:

    oci ce cluster get
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.["endpoint-config"."is-public-ip-enabled","endpoints"."public-endpoint"]'

  6. The command output should return the values for the "is-public-ip-enabled" and "public-endpoint" attributes. "is-public-ip-enabled" indicates if a public IP address is assigned to the cluster, and "public-endpoint" is the public IP address and port combination for accessing the public endpoint, i.e., \<public-ip-address\>:\<port-number\>:

    [
	true,
	"<public-ip-address>:<port-number>"
]

    Check the ce cluster get command output to determine whether public access to the Kubernetes API is disabled. If the command output returns true for "is-public-ip-enabled" and \<public-ip-address\>:\<port-number\> for "public-endpoint", as shown in the example above, the public access to the Kubernetes API is not disabled for the selected OKE OCI Kubernetes Engine (OKE) cluster.

  7. Repeat steps no. 5 and 6 for each OKE cluster deployed to the selected OCI compartment.

  8. Repeat steps no. 3 – 7 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To ensure that public access to the Kubernetes API is disabled for your OCI Kubernetes Engine (OKE) clusters, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Kubernetes Clusters (OKE) console available at https://cloud.oracle.com/containers/clusters.

  3. For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the OCI Kubernetes Engine (OKE) clusters provisioned in the selected compartment.

  4. Click on the name (link) of the OCI Kubernetes Engine (OKE) cluster that you want to configure, listed in the Name column.

  5. Choose Actions from the console top-right menu, select Edit, and perform the following actions to disable public access:

    1. In the Kubernetes API server endpoint section, switch off the Assign a public IP address to the API endpoint button to turn off public access via public IPs. This will disable public access to the cluster's Kubernetes API.
    2. Choose Update to apply the configuration changes. Once the OKE cluster configuration is updated, the Kubernetes API server will be accessible via the private endpoint.

  6. Repeat steps no. 4 and 5 for each OKE cluster provisioned within the selected OCI compartment.

  7. Repeat steps no. 3 - 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster update-endpoint-config command (Windows/macOS/Linux) with the ID of the OKE cluster that you want to configure as the identifier parameter, to disable public access to the cluster's Kubernetes API by turning off access via public IPs. Once the OKE cluster configuration is updated, the Kubernetes API server will be accessible via the private endpoint:

    oci ce cluster update-endpoint-config
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--is-public-ip-enabled false

  6. The command output should return the ce cluster update-endpoint-config command request id:

    {
	"opc-work-request-id": "ocid1.clustersworkrequest.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

  7. Repeat steps no. 5 and 6 for each OKE cluster deployed to the selected OCI compartment.

  8. Repeat steps no. 3 – 7 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Publication date Dec 1, 2025

Related OCI-OKE rules