Secure AKS API from Public Internet
Managed K8s in Azure makes the AKS API publically accessible via an Internet endpoint.
This Master node access is separate from the Agent nodes we stand up inside a VNet and can protect with interior private IPs and NSGs.
While access to the AKS-API is be protected using Azure DDOS, and integration to AAD and RBAC for user access, some customer security organizations demand either IP whitelisting on it, or some type of if firewalling to limit access to it to only their company. VNet Service Endpoint as another option although not certain can can work. But that kind of protection is sought.
Shyam kumar alaparthy commented
Appreciate AKS team considering this as a priority and taking up this feature request. Can you provide an update on where we stand on this feature? What is the planned date for private preview of this?
Any update? Our security team is not happy having the K8s API Server exposed to the whole internet. NSG or whitelists need to be implemented for it.
Adam Bradley commented
Likely we will need to acs-engine if this capability is not released. This is a huge risk for our project. Strong preference is to be able to protect it via a NSG.
Any update on this, this feature is a critical point for our customers as multi layered security on the kubernetes API is necessary.
Suresh kumar commented
Yeah this would be helpful, if we restrict the API to specific networks