How to design secure and convenient access to AKS clusters

API Server is a crucial component of Kubernetes that allows configuration, workload management and a lot more. While this endpoint is incredibly important to secure; developers and engineers typically require regular and convenient access to that API. Striking a balance between security and convenience is quite desirable here.

Azure Kubernetes Service (AKS) provides two robust mechanisms to restrict access to the API Server: namely through restricting authorized source IP addresses or disabling public access to the API endpoint.
 

While the above two controls ensure additional security for the API endpoint, developers and engineers do face a few challenges here:
 

  1. With the rise of remote work, many users could be unable to keep a static source IP address that has been whitelisted by AKS.
     
  2. Although solutions are increasingly deployed, many users could find that always on becomes a challenge sometimes; especially if it affects an already low internet bandwidth at home.
     
  3. While some users get access to a jump box or an Azure Bastion host, it lacks many notable features like AD authentication or a true desktop experience.

Recommendations

One good approach to overcome the above challenges is to allow remote access to a fixed cloud endpoint, which has sole access to the AKS . Being more specific, Visual Studio Code Remote Development and Windows Virtual Desktop are two solutions that can provide a secure yet convenient access to restricted AKS .

blog-secure-development.png

Visual Studio Code Remote Development (SSH)

VS Code Remote Development (SSH) can allow developers and engineers access from within Visual Studio Code to hardened and right-sized per-user . The solution has the following benefits:
 

  • The could use automation to start up and shutdown during regular work hours.
  • Users leverage their local VS Code to run code and terminal commands that are in fact running on a remote machine that has access to a restricted AKS cluster.
  • users would leverage SSH keys to get access to those machines but could also evaluate the preview feature of Linux AD authentication.
  • Remote VM can be in a VNET with access to a private AKS cluster or can have an outbound IP whitelisted by AKS.

Windows Virtual Desktop

While the above solution has some great benefits, it requires SSH access from at least a wide array of IP ranges owned by developers or engineers. It might also require additional GUI access to the Azure to run some Kubernetes tools such as Lens, a Kubernetes IDE. Windows Virtual Desktop on the contrary requires no open SSH ports and provides desktop access. It just requires TCP port 443 access to a defined Microsoft endpoint. Other benefits from this solution include:
 

  • Use various clients such as Windows, macOS, Android, iOS, or Web.
  • Desktop discovery based on AD Authentication. No IP or host name distribution required.
  • Full desktop experience with Windows 10 or Windows 7.
  • Users might be able to leverage existing licenses to assign desktops.
  • Desktop host can be in a VNET with access to a private AKS cluster or can use a outbound IP whitelisted by AKS.

Whichever solution you choose to provide access to an AKS cluster, it's quite important to try strike a balance between meeting security requirements and ensuring teams productivity. VS Code Remote Development and Windows Virtual Desktop are two options worth considering.

 

This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.