Information disclosure from unrestricted AKS API server access in Azure Kubernetes

Medium Risk infrastructure-security
azureakskubernetesapi-servernetwork-securityaccess-controlinformation-disclosureterraform

What it is

Azure Kubernetes Service (AKS) clusters with publicly accessible API servers and no IP access restrictions expose the Kubernetes API to internet scanning, brute-force attacks, and potential unauthorized access attempts. This increases the attack surface and provides opportunities for reconnaissance and exploitation.

# VULNERABLE: AKS cluster with unrestricted API server access
resource "azurerm_kubernetes_cluster" "vulnerable_aks" {
  name                = "vulnerable-aks-cluster"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "vulnerable-aks"

  default_node_pool {
    name       = "default"
    node_count = 3
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "SystemAssigned"
  }

  # VULNERABLE: No api_server_authorized_ip_ranges configured
  # API server is publicly accessible from any IP
}

# VULNERABLE: Explicit public cluster without restrictions
resource "azurerm_kubernetes_cluster" "public_unrestricted" {
  name                = "public-aks"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "public-aks"

  default_node_pool {
    name       = "default"
    node_count = 2
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "SystemAssigned"
  }

  # VULNERABLE: Empty api_server_authorized_ip_ranges allows all
  api_server_authorized_ip_ranges = []
}
# SECURE: AKS cluster with IP access restrictions
resource "azurerm_kubernetes_cluster" "secure_aks" {
  name                = "secure-aks-cluster"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "secure-aks"

  default_node_pool {
    name       = "default"
    node_count = 3
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "SystemAssigned"
  }

  # SECURE: Restrict API server access to specific IP ranges
  api_server_authorized_ip_ranges = [
    "10.0.0.0/8",      # Corporate network
    "203.0.113.0/24",  # VPN gateway
    "198.51.100.5/32"  # Bastion host
  ]
}

# SECURE: Private AKS cluster
resource "azurerm_kubernetes_cluster" "private_aks" {
  name                = "private-aks"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "private-aks"
  private_cluster_enabled = true

  default_node_pool {
    name       = "default"
    node_count = 3
    vm_size    = "Standard_D2_v2"
    vnet_subnet_id = azurerm_subnet.aks.id
  }

  identity {
    type = "SystemAssigned"
  }

  # SECURE: Private cluster with network restrictions
  network_profile {
    network_plugin = "azure"
  }
}

💡 Why This Fix Works

The vulnerable configurations either omit api_server_authorized_ip_ranges entirely or set it to an empty array, allowing unrestricted public access to the AKS API server from any internet IP address. The secure versions implement IP access restrictions using api_server_authorized_ip_ranges to limit access to known networks, or use private_cluster_enabled to make the API server completely private and only accessible from within the Azure virtual network.

Why it happens

Azure Kubernetes Service clusters are created with publicly accessible API servers by default. Without explicit network restrictions, the Kubernetes API endpoint is exposed to the entire internet, allowing port scanning and connection attempts from any source.

Root causes

Default Public API Server Configuration

Azure Kubernetes Service clusters are created with publicly accessible API servers by default. Without explicit network restrictions, the Kubernetes API endpoint is exposed to the entire internet, allowing port scanning and connection attempts from any source.

Missing IP Range Authorization

AKS Terraform configurations omit the api_server_authorized_ip_ranges parameter. Without this configuration, the API server accepts connections from all IP addresses, exposing cluster management capabilities to potential attackers.

Absent API Server Access Controls

Organizations fail to implement IP-based access restrictions on the Kubernetes API server. No network-level controls limit which sources can reach the API endpoint, increasing the attack surface significantly.

Inadequate Network Segmentation

API server network access controls aren't aligned with organizational network architecture. Clusters lack configuration to restrict access to corporate networks, VPNs, or specific administrative jump boxes.

Deployment Without Security Hardening

AKS clusters are deployed using default configurations without security review or hardening. Teams prioritize quick deployment over implementing access restrictions, leaving API servers unnecessarily exposed.

Fixes

1

Configure API Server IP Authorization

Set api_server_authorized_ip_ranges in your AKS Terraform configuration to specify allowed IP ranges. This creates an IP allowlist at the API server level, rejecting connection attempts from unauthorized networks.

2

Restrict to Corporate Networks and VPNs

Limit API server access to specific trusted IP ranges including corporate office networks, VPN gateways, and administrative jump boxes. Use CIDR notation to precisely define allowed source addresses for kubectl and automation tools.

3

Implement Private AKS Clusters

Use Azure Private Link to create private AKS clusters where the API server is only accessible via private IP addresses within your virtual network. This eliminates public internet exposure entirely for maximum security.

4

Deploy Network Security Groups

Configure Network Security Groups (NSGs) on AKS subnet resources to provide defense-in-depth network controls. Layer NSG rules with API server IP restrictions to create multiple security boundaries.

5

Enable Azure AD Authentication

Integrate AKS with Azure Active Directory for cluster authentication. Combined with IP restrictions, Azure AD provides identity-based access control, multi-factor authentication, and centralized audit logging for all API server access.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure from unrestricted aks api server access in azure kubernetes and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities