How can we improve the Azure Kubernetes Service (AKS)?

Secure AKS API from Public Internet

Managed K8s in Azure makes the AKS API publically accessible via an Internet endpoint.
This Master node access is separate from the Agent nodes we stand up inside a VNet and can protect with interior private IPs and NSGs.

While access to the AKS-API is be protected using Azure DDOS, and integration to AAD and RBAC for user access, some customer security organizations demand either IP whitelisting on it, or some type of if firewalling to limit access to it to only their company. VNet Service Endpoint as another option although not certain can can work. But that kind of protection is sought.
Reference: https://github.com/Azure/AKS/issues/572

220 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Steve DiStefano shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

27 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Shyam kumar alaparthy commented  ·   ·  Flag as inappropriate

    Appreciate AKS team considering this as a priority and taking up this feature request. Can you provide an update on where we stand on this feature? What is the planned date for private preview of this?

  • Anonymous commented  ·   ·  Flag as inappropriate

    Any update? Our security team is not happy having the K8s API Server exposed to the whole internet. NSG or whitelists need to be implemented for it.

  • Adam Bradley commented  ·   ·  Flag as inappropriate

    Likely we will need to acs-engine if this capability is not released. This is a huge risk for our project. Strong preference is to be able to protect it via a NSG.

  • daveParso commented  ·   ·  Flag as inappropriate

    Any update on this, this feature is a critical point for our customers as multi layered security on the kubernetes API is necessary.

2 Next →

Feedback and Knowledge Base