How to design secure and convenient access to AKS clusters

This post has been republished via RSS; it originally appeared at: ITOps Talk Blog articles.

API Server is a crucial component of Kubernetes that allows cluster configuration, workload management and a lot more. While this endpoint is incredibly important to secure; developers and engineers typically require regular and convenient access to that API. Striking a balance between security and convenience is quite desirable here.

 

Azure Kubernetes Service (AKS) provides two robust mechanisms to restrict access to the API Server: namely through restricting authorized source IP addresses or disabling public access to the API endpoint.
 

While the above two controls ensure additional security for the API endpoint, developers and engineers do face a few challenges here:
 

  1. With the rise of remote work, many users could be unable to keep a static source IP address that has been whitelisted by AKS.
     
  2. Although VPN solutions are increasingly deployed, many users could find that always on VPN becomes a challenge sometimes; especially if it affects an already low internet bandwidth at home.
     
  3. While some users get access to a jump box or an Azure Bastion host, it lacks many notable features like AD authentication or a true desktop experience.

Recommendations

One good approach to overcome the above challenges is to allow remote access to a fixed cloud endpoint, which has sole access to the AKS Cluster. Being more specific, Visual Studio Code Remote Development and Windows Virtual Desktop are two solutions that can provide a secure yet convenient access to restricted AKS cluster.

 

blog-secure-development.png

 

Visual Studio Code Remote Development (SSH)

VS Code Remote Development (SSH) can allow developers and engineers access from within Visual Studio Code to hardened and right-sized per-user virtual machines. The solution has the following benefits:
 

  • The virtual machines could use automation to start up and shutdown during regular work hours.
  • Users leverage their local VS Code to run code and terminal commands that are in fact running on a remote machine that has access to a restricted AKS cluster.
  • Linux users would leverage SSH keys to get access to those machines but could also evaluate the preview feature of Linux AD authentication.
  • Remote VM can be in a VNET with access to a private AKS cluster or can have an outbound IP whitelisted by AKS.

 

Windows Virtual Desktop

While the above solution has some great benefits, it requires SSH access from at least a wide array of IP ranges owned by developers or engineers. It might also require additional GUI access to the Azure virtual machines to run some Kubernetes tools such as Lens, a Kubernetes IDE. Windows Virtual Desktop on the contrary requires no open SSH ports and provides desktop access. It just requires TCP port 443 access to a defined Microsoft endpoint. Other benefits from this solution include:
 

  • Use various clients such as Windows, macOS, Android, iOS, or Web.
  • Desktop discovery based on AD Authentication. No IP or host name distribution required.
  • Full desktop experience with Windows 10 or Windows 7.
  • Users might be able to leverage existing licenses to assign desktops.
  • Desktop host can be in a VNET with access to a private AKS cluster or can use a Load Balancer outbound IP whitelisted by AKS.

 

Whichever solution you choose to provide access to an AKS cluster, it's quite important to try strike a balance between meeting security requirements and ensuring teams productivity. VS Code Remote Development and Windows Virtual Desktop are two options worth considering.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.