How to design secure and convenient access to AKS clusters

%3CLINGO-SUB%20id%3D%22lingo-sub-1971345%22%20slang%3D%22en-US%22%3EHow%20to%20design%20secure%20and%20convenient%20access%20to%20AKS%20clusters%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1971345%22%20slang%3D%22en-US%22%3E%3CP%3EAPI%20Server%20is%20a%20crucial%20component%20of%20Kubernetes%20that%20allows%20cluster%20configuration%2C%20workload%20management%20and%20a%20lot%20more.%20While%20this%20endpoint%20is%20incredibly%20important%20to%20secure%3B%20developers%20and%20engineers%20typically%20require%20regular%20and%20convenient%20access%20to%20that%20API.%20Striking%20a%20balance%20between%20security%20and%20convenience%20is%20quite%20desirable%20here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Kubernetes%20Service%20(AKS)%20provides%20two%20robust%20mechanisms%20to%20restrict%20access%20to%20the%20API%20Server%3A%20namely%20through%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Faks%2Fapi-server-authorized-ip-ranges%3FWT.mc_id%3Dmodinfra-10666-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Erestricting%20authorized%20source%20IP%20addresses%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eor%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Faks%2Fprivate-clusters%3FWT.mc_id%3Dmodinfra-10666-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edisabling%20public%20access%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eto%20the%20API%20endpoint.%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20the%20above%20two%20controls%20ensure%20additional%20security%20for%20the%20API%20endpoint%2C%20developers%20and%20engineers%20do%20face%20a%20few%20challenges%20here%3A%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EWith%20the%20rise%20of%20remote%20work%2C%20many%20users%20could%20be%20unable%20to%20keep%20a%20static%20source%20IP%20address%20that%20has%20been%20whitelisted%20by%20AKS.%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EAlthough%20VPN%20solutions%20are%20increasingly%20deployed%2C%20many%20users%20could%20find%20that%20always%20on%20VPN%20becomes%20a%20challenge%20sometimes%3B%20especially%20if%20it%20affects%20an%20already%20low%20internet%20bandwidth%20at%20home.%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EWhile%20some%20users%20get%20access%20to%20a%20jump%20box%20or%20an%20Azure%20Bastion%20host%2C%20it%20lacks%20many%20notable%20features%20like%20AD%20authentication%20or%20a%20true%20desktop%20experience.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fitops-talk-blog%2Fhow-to-design-secure-and-convenient-access-to-aks-clusters%2Fba-p%2F1847994%22%20target%3D%22_self%22%3E%3CSTRONG%3ERead%20the%20full%20article%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

API Server is a crucial component of Kubernetes that allows cluster configuration, workload management and a lot more. While this endpoint is incredibly important to secure; developers and engineers typically require regular and convenient access to that API. Striking a balance between security and convenience is quite desirable here.

 

Azure Kubernetes Service (AKS) provides two robust mechanisms to restrict access to the API Server: namely through restricting authorized source IP addresses or disabling public access to the API endpoint.
 

While the above two controls ensure additional security for the API endpoint, developers and engineers do face a few challenges here:
 

  1. With the rise of remote work, many users could be unable to keep a static source IP address that has been whitelisted by AKS.
     
  2. Although VPN solutions are increasingly deployed, many users could find that always on VPN becomes a challenge sometimes; especially if it affects an already low internet bandwidth at home.
     
  3. While some users get access to a jump box or an Azure Bastion host, it lacks many notable features like AD authentication or a true desktop experience.

 

Read the full article

0 Replies