Dont SSH to AKS

Disabling SSH Access in Azure Kubernetes Service (AKS) is now available for better security!

Azure Kubernetes Service (AKS) now supports disabling SSH access to enhance cluster security. This feature allows you to prevent SSH connections to your cluster nodes, reducing potential attack vectors and improving your overall security posture.

Prerequisites

⚠️ Important: You must upgrade your Azure CLI and install the AKS preview extension to use this feature.

Before proceeding with the commands below, ensure you have the latest Azure CLI version and the AKS preview extension installed:

# Update Azure CLI to the latest version
az upgrade

# Install or update the AKS preview extension
az extension add --name aks-preview
az extension update --name aks-preview

Managing SSH Access in AKS

Updating an Existing AKS Cluster

To disable SSH access on an existing AKS cluster, use the following command:

az aks update --name MyCluster --resource-group MyResourceGroup --ssh-access disabled

This command updates the AKS cluster called 'MyCluster' and disables SSH access to all nodes in the cluster.

Adding a New Node Pool with SSH Disabled

When adding a new node pool to your cluster, you can disable SSH access from the start:

az aks nodepool add --cluster-name MyCluster --resource-group MyResourceGroup --name MyNodePool --ssh-access disabled

This adds a new node pool named 'MyNodePool' to the 'MyCluster' cluster with SSH access disabled by default.

Updating an Existing Node Pool

If you have an existing node pool and want to disable SSH access, use this command:

az aks nodepool update --cluster-name MyCluster --resource-group MyResourceGroup --name MyNodePool --ssh-access disabled

This updates the specified node pool to disable SSH access to its nodes.

Security Benefits

Disabling SSH access provides several security advantages:

  • Reduced Attack Surface: Eliminates SSH as a potential entry point for attackers
  • Improved Compliance: Helps meet security requirements that prohibit direct node access
  • Simplified Security Management: Reduces the need to manage SSH keys and access controls

Alternative Access Methods

Even with SSH disabled, you can still access nodes for troubleshooting purposes using Kubernetes debug containers:

# Create a debug container on a specific node
kubectl debug node/NODE_NAME -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0

# Once inside the debug container, you can access the host filesystem
chroot /host

This method allows you to:

  • Access the node's filesystem and processes
  • Run diagnostic commands
  • Troubleshoot node-level issues
  • Perform maintenance tasks when necessary

Important Considerations

  • Once SSH access is disabled, you will not be able to directly connect to the cluster nodes via SSH
  • Debug containers with chroot /host provide an alternative way to access node internals when needed
  • Use alternative methods like kubectl debug or Azure Container Instances for troubleshooting
  • Ensure your monitoring and logging solutions are properly configured before disabling SSH access
  • This feature requires the AKS preview extension and may not be available in all Azure regions initially

Next Steps

After disabling SSH access, consider implementing additional security measures such as:

  • Enabling Azure Policy for Kubernetes
  • Configuring network policies
  • Implementing proper RBAC controls
  • Setting up comprehensive monitoring and alerting

Remember to test these changes in a development environment before applying them to production clusters.

by MDF