Tags: azure, security, network

Overview

For most companies, security requirements require restricting access to the network infrastructure and the management environment API. Kubernetes API is not an exception and requires access restrictions.


This article describes how you can restricts access to Kubernetes API in the Azure Kublr deployment.


Azure SecurityGroup restrictions

By default Kublr create Security rules for k8s API with 101 priority, provided non restricted access for source Any.

Pay attention! Kubernetes cloud controller creates new rules for LB type services with a priority of 500.

You can modify default Security rules of k8s API for provide access on Azure Service Tag or source address list. 


Azure Service Tag

Azure Service Tag are predefined identifiers that represent a category of IP addresses. The Virtual Network tag denotes all virtual and local network address spaces. The Azure Load Balancer tag denotes the IP addresses from where Azure load balancer health probes will originate. The Internet tag denotes the public IP address space.

Modify Cluster specification for change Service Tag on source addresses for provide on VirtualNetwork access:

spec:
  location:
  - azure:
      armTemplateExtras:
        securityRuleMastersAllowAPI:
          properties:
            sourceAddressPrefix: 'VirtualNetwork'

Source address list

You can use source address list for k8s API access restriction. Provide an address range using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64), or an IP address (e.g. 192.168.99.0 or 2001:1234::) defined in Array.

Pay attention! You will need to define sourceAddressPrefix as '' for exclude defaults rules.

spec:
  location:
  - azure:
      armTemplateExtras:
        securityRuleMastersAllowAPI:
          properties:
            sourceAddressPrefix: ''
            sourceAddressPrefixes:
            - 172.16.0.0/16
            - 1.1.1.1