Azure AKS cluster configured with overly permissive API server access
Description
The AKS API server receives requests to perform actions in the cluster , for example, to create resources, and scale the number of nodes. The API server provides a secure way to manage a cluster. To enhance cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges. These IP ranges allow defined IP address ranges to communicate with the API server. A request made to the API server from an IP address that is not part of these authorized IP ranges is blocked.
Code Example
shell
{
"az aks create \\
--resource-group myResourceGroup \\
--name myAKSCluster \\
--node-count 1 \\
--vm-set-type VirtualMachineScaleSets \\
--load-balancer-sku standard \\
--api-server-authorized-ip-ranges 73.140.245.0/24 \\
--generate-ssh-keys",
}Remediation
- CLI Command*
When you specify a CIDR range, start with the first IP address in the range.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0517 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | ARM, Terraform, Bicep, TerraformPlan |
| Checkov ID | CKV_AZURE_6 |