Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Restrict Access to the Kubernetes Control Plane

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the OCI Container Engine for Kubernetes (OKE) cluster's control plane endpoint is secured by associating the endpoint's VNIC with a Network Security Group (NSG) that contains a specific inbound security rule to allow TCP traffic on port 6443 (the Kubernetes API server port) only from the defined allowlist of authorized CIDR blocks (your authorized networks), utilizing the NSG as a virtual firewall to enforce network-level access restriction to the Kubernetes API server.

Security

Use Network Security Groups (NSGs) with OCI Container Engine for Kubernetes (OKE) clusters to achieve granular, resource-level network security and isolation. NSGs are specifically recommended for controlling network access to the Kubernetes API server endpoint, helping you reduce the attack surface and ensure that only authorized clients and services can communicate with your OCI compute resources.

Audit

To determine if the network access to the Kubernetes API server endpoint is restricted using Network Security Groups (NSGs), perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Kubernetes Clusters (OKE) console available at https://cloud.oracle.com/containers/clusters.

  3. For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the OCI Kubernetes Engine (OKE) clusters provisioned in the selected compartment.

  4. Click on the name (link) of the OCI Kubernetes Engine (OKE) cluster that you want to examine, listed in the Name column.

  5. Select the Cluster details tab and check the Kubernetes API public endpoint and Network security group attributes values, listed in the Network information section. If the Kubernetes API public endpoint value contains a public IP address, i.e., \<public-ip-address\>:\<port-number\> and the Network security group value is set to Not enabled, the network access to the Kubernetes API server endpoint is public and not restricted using Network Security Groups (NSGs).

  6. Repeat steps no. 4 and 5 for each OKE cluster provisioned within the selected OCI compartment.

  7. Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:e ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster get command (Windows/macOS/Linux) with the ID of the OKE cluster that you want to examine as the identifier parameter, to determine if public access to the Kubernetes API server is enabled and if Network Security Groups (NSGs) are being used for access control:

    oci ce cluster get
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.{"is-public-ip-enabled": "endpoint-config"."is-public-ip-enabled","nsg-ids": "endpoint-config"."nsg-ids"}'

  6. The command output should return the values for the "is-public-ip-enabled" and "nsg-ids" attributes. "is-public-ip-enabled" indicates if a public IP address is assigned to the cluster, and "nsg-ids" reveals if the cluster is using Network Security Groups for access control:

    {
	"is-public-ip-enabled": true,
	"nsg-ids": []
}

    Check the ce cluster get command output to determine whether public access to the Kubernetes API is enabled and Network Security Groups (NSGs) are used for access control. If the command output returns true for "is-public-ip-enabled" and an empty array for the "nsg-ids" property, the network access to the Kubernetes API server endpoint is public and not restricted using Network Security Groups (NSGs).

  7. Repeat steps no. 5 and 6 for each OKE cluster provisioned within the selected OCI compartment.

  8. Repeat steps no. 3 – 7 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To ensure that network access to the Kubernetes API server endpoint is restricted using Network Security Groups (NSGs), perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Virtual Cloud Networks console available at https://cloud.oracle.com/networking/vcns.

  3. For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the OCI Virtual Cloud Networks available in the selected compartment.

  4. Click on the name (link) of the Virtual Cloud Network (VCN) associated with your OCI Kubernetes Engine (OKE) cluster.

  5. Select the Security tab, choose Create Network Security Group under Network Security Groups, and perform the following actions to create a new OCI Network Security Group (NSG):

    1. For Name, enter a unique name for the new Network Security Group.
    2. Select the appropriate OCI compartment from the Create in Compartment dropdown list.
    3. For Add Security Rules, choose Rule, and provide the following information to create NSG rules. As an example, the following NSG rules allows access on TCP port 6443 (Kubernetes control plane access):
      1. To create an inbound (ingress) rule, provide the following information:
        1. Choose Ingress for Directions.
        2. For Source Type, select CIDR.
        3. For Source CIDR, enter the IP address or IP address range of the trusted network, service, or machine (must be in CIDR notation).
        4. For IP Protocol, choose TCP.
        5. For Source Port Range, enter 6443.
        6. For Destination Port Range, enter 6443.
        7. Type a short description in the Description box.
      2. To create an outbound (egress) rule, select Another rule, and provide the following information:
        1. Choose Egress for Directions.
        2. For Destination Type, select CIDR.
        3. For Destination CIDR, enter an IP address or IP address range where the egress traffic can go to.
        4. For IP Protocol, choose TCP.
        5. For Source Port Range, enter All.
        6. For Destination Port Range, enter All.
        7. Type a short description in the Description box.
    4. Choose Create to create your new OCI Network Security Group (NSG).

  6. Navigate to Kubernetes Clusters (OKE) console available at https://cloud.oracle.com/containers/clusters.

  7. For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the OCI Kubernetes Engine (OKE) clusters provisioned in the selected compartment.

  8. Click on the name (link) of the OCI Kubernetes Engine (OKE) cluster that you want to configure, listed in the Name column.

  9. Choose Actions from the console top-right menu, select Edit, and perform the following actions to configure secure network access:

    1. In the Kubernetes API server endpoint section, toggle on the Use security rules in Network Security Group (NSG) button to enable access control via Network Security Groups (NSGs).
    2. Choose the appropriate OCI compartment from the Network security group compartment list, select the newly created Network Security Group (NSG) from the Network security groups dropdown list.
    3. Choose Update to apply the configuration changes.

  10. Repeat steps no. 4 - 9 for each OKE cluster provisioned within the selected OCI compartment.

  11. Repeat steps no. 3 - 10 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run network nsg create command (OSX/Linux/UNIX) to create a new Network Security Group (NSG) for your OCI Kubernetes Engine (OKE) cluster:

    oci network nsg create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--vcn-id 'ocid1.vcn.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--display-name 'cc-project5-oke-cluster-nsg'

  2. The command output should return the configuration information available for the new NSG:

    {
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {},
		"display-name": "cc-project5-oke-cluster-nsg",
		"freeform-tags": {},
		"id": "ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"lifecycle-state": "AVAILABLE",
		"time-created": "2025-12-01T18:23:26.258000+00:00",
		"vcn-id": "ocid1.vcn.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	},
	"etag": "abcd1234"
}

  3. Run network nsg rules add command (OSX/Linux/UNIX) to add an ingress (inbound) rule to your new OCI Network Security Group (NSG). As an example, the following NSG rule allows access on TCP port 6443 (Kubernetes control plane access):

    oci network nsg rules add
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--security-rules '[{ "description": "Kubernetes control plane access", "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "ABC123", "is-stateless": false, "is-valid": true, "protocol": "6", "source": "10.0.1.0/24", "source-type": "CIDR_BLOCK", "tcp-options": { "destination-port-range": { "max": 6443, "min": 6443 }, "source-port-range": { "max": 6443, "min": 6443 } }, "udp-options": null }]'

  4. The command output should return the ingress rule configured for the new OCI NSG:

    {
	"data": {
		"security-rules": [
			{
				"description": "Kubernetes control plane access",
				"destination": null,
				"destination-type": null,
				"direction": "INGRESS",
				"icmp-options": null,
				"id": "ABC123",
				"is-stateless": false,
				"is-valid": true,
				"protocol": "6",
				"source": "10.0.1.0/24",
				"source-type": "CIDR_BLOCK",
				"tcp-options": {
				"destination-port-range": {
					"max": 6443,
					"min": 6443
				},
				"source-port-range": {
					"max": 6443,
					"min": 6443
				}
				},
				"time-created": "2025-12-01T18:35:44.654000+00:00",
				"udp-options": null
			}
		]
	}
}

  5. Run network nsg rules add command (OSX/Linux/UNIX) to add an egress (outbound) rule to your new OCI Network Security Group (NSG). As an example, the following NSG rule allows all outbound access:

    oci network nsg rules add
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--security-rules '[{ "description": "Allow ALL Outbound Access", "destination": "0.0.0.0/0", "destination-type": "CIDR_BLOCK", "direction": "EGRESS", "icmp-options": null, "id": "CBA123", "is-stateless": false, "is-valid": true, "protocol": "6", "source": null, "source-type": null, "tcp-options": { "destination-port-range": null, "source-port-range": null }, "udp-options": null }]'

  6. The command output should return the egress rules configured for the new OCI NSG:

    {
	"data": {
		"security-rules": [
			{
				"description": "Allow ALL Outbound Access",
				"destination": "0.0.0.0/0",
				"destination-type": "CIDR_BLOCK",
				"direction": "EGRESS",
				"icmp-options": null,
				"id": "BCA123",
				"is-stateless": false,
				"is-valid": true,
				"protocol": "6",
				"source": null,
				"source-type": null,
				"tcp-options": {
					"destination-port-range": null,
					"source-port-range": null
				},
				"time-created": "2025-12-01T18:38:46.135000+00:00",
				"udp-options": null
			}
		]
	}
}

  7. Run ce cluster update-endpoint-config command (Windows/macOS/Linux) with the ID of the OKE cluster that you want to configure as the identifier parameter, to enable access control via OCI VCN Network Security Groups (NSGs) by attaching the Network Security Group created in the previous steps:

    oci ce cluster update-endpoint-config
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--nsg-ids '["ocid1.networksecuritygroup.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"]'

  8. The command output should return the working request ID:

    {
	"opc-work-request-id": "ocid1.clustersworkrequest.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

  9. Repeat steps no. 1 - 8 for each OKE cluster deployed to the selected OCI compartment.

  10. Repeat steps no. 1 – 9 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Publication date Dec 11, 2025

Related OCI-OKE rules