This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I went through different documents available on Microsoft site, created one private AKS cluster on my own. Still I'm not clear why private cluster? What is the benefit of making API server of AKS cluster private? Even for private AKS cluster, the load balancer created has public endpoint and can be accessed over the internet. Then how it became a private cluster and why is it assumed to be more secure?
The API server is the way that you can control and access your Kubernetes control plane, and so is a tempting attack surface for anyone wanting to breach your cluster. If someone gains access to the Kubernetes API they can do pretty much anything with your cluster. By using a private cluster this API is only accessible from your virtual network and traffic only goes over the virtual network and does not traverse the internet. This provides a few benefits:
For some people this may not be required, and your happy with the security of the public API server, in which case you don't need this. However there are many scenarios where this is not an acceptable level of security and they need a private API server to be able to use AKS.
As per the Private AKS Cluster Document, by using a private cluster it will ensure that network traffic between your API server and your node pools remains on the private network only.
The Public IP for the Load Balancer is part of the current design for Private AKS Clusters. As the newer CLI versions will by default create Standard Load Balancer which required a Public IP and Load Balancer for egress. By default AKS still uses a public IP for egress traffic from nodes/pods to outside world, even in private AKS instances.
As this default setup may not meet the requirements of all scenarios if public IPs are disallowed or additional hops are required for egress, to avoid pubic IPs altogether you can Customize cluster egress with a User-Defined Route. Please check this article for more details.
Just for your reference, similar issue raised for getting this cluster egress with a UDR to GA.
Please 'Accept as answer' if the provided information is helpful, so that it can help others in the community looking for help on similar topics.
Thanks for quick response. But what is the point in making network traffic between API server and node pools on the private network?
API server can be accessed from vnet and peered vnets only.
That is fine @vipullag-MSFT , but my question is why - what is the point of making API server externally accessible? I can access the services on public endpoints of that LB. Why should I safeguard the API server only?
@Pratim Das, Partha C
Apologies for the confusion. The API server endpoint has no public IP address, so this is not externally accessible in Private Cluster.
If the API server is secured, then you can control the cluster only from the internal network.
For Example, usually companies will have a office network and that will be connected with the Azure. If we create a Private AKS, we can access the AKS master from the office network and in the vnets only. Here it provides additional security to the AKS master. In this case, attacker needs access to both office network and the AKS access keys to disturb your cluster. However, in case of public AKS credentials are enough.
We have a feature called Authenticated IP. To improve cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges.
Thanks @vipullag-MSFT . 70% of my doubts clarified. As per my knowledge, AKS master is managed by Azure and we can't access it. If this statement holds true then how hackers can access AKS master/ API server. Even if the API server is hacked, what will be the impact/ level of damage?
@Pratim Das, Partha C
Apologies in delayed response.
AKS master is managed by Azure and we can't access it.
Its managed by Azure . If its private AKS, we can access master within vnets.
If public, we can access from anywhere.
Even if the API server is hacked, what will be the impact/ level of damage?
Its based on the access level of the compromised key. If the admin key is compromised, then it has full access to the cluster.
Many thanks for your response. Could you please let me know how to access the AKS master?
@Pratim Das, Partha C
We can access the endpoint provided by AKS mater service in the VNET. However, you cannot login to the master machine.
It is documented here.
Why are more than 1 public IP addresses created for both private and public AKS clusters?
@vipullag-MSFT , most of my confusion regarding private AKS is clear. Can you help me understanding the PCI DSS requirement for AKS. We have a design of public AKS for the customer who is looking for the compliance thing now.
Is public AKS PCI compliant or we need to re-design to private cluster ?
@Debabrata Howlee
Here is the document (This one is the introduction) which has all the details on customer's responsibilities and responsibilities as Service Provider as far as PCI DSS is concerned.
Hope these document references help.
Sign in to comment