azure-aks-api-iprange¶
Ensure AKS has an API Server Authorized IP Ranges enabled. By default, the Kubernetes API is publicly accessible and which could allow an attacker to exploit misconfigurations in your Kubernetes RBAC or unpatched security vulnerabilities.
The API IP Range should be configured to include the following IP ranges:
- The firewall public IP address of your network.
- The IP addresses or ranges where you might administer the cluster from.
- (For private AKS clusters) The local network CIDR.
- (For Azure Dev Spaces) The IP ranges for the Dev Sapces in your region.
The rules can take up to 2 minutes to propagate. Please allow up to that time when testing the connection.
Examples¶
Insecure Example
resource "azurerm_kubernetes_cluster" "example" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "exampleaks1"
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
}
api_server_authorized_ip_ranges = null # Option is omitted or null
identity {
type = "SystemAssigned"
}
}
Secure Example
resource "azurerm_kubernetes_cluster" "example" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "exampleaks1"
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
}
api_server_authorized_ip_ranges = "0.0.0.0/32"
identity {
type = "SystemAssigned"
}
}