C-0252 - Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-aks-t1.2.0

Severity

High

Description of the the issue

In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's wirtual network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's virtual network.

Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publically with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack. Unless required, disabling public endpoint will help prevent such threats, and require the attacker to be on the master's virtual network to perform any attack on the Kubernetes API.

Related resources

What does this control test

Disable access to the Kubernetes API from outside the node network if it is not required.

How to check it manually

Remediation

To use a private endpoint, create a new private endpoint in your virtual network then create a link between your virtual network and a new private DNS zone

Impact Statement

Default Value

Example

No example