In the ever-evolving landscape of cloud computing and Kubernetes management, Microsoft’s Azure Kubernetes Service (AKS) continuously introduces features to bolster security and ease of management. A significant new feature now in preview is the ability to control SSH access to AKS cluster nodes, providing administrators with enhanced security capabilities. This blog post will delve into the details of this new feature, its prerequisites, and how to implement it.
Understanding the New SSH Access Control Feature
The introduction of the –ssh-access parameter marks a substantial step forward in managing AKS clusters. This parameter is now part of the az aks create, az aks update, az aks nodepool add, and az aks nodepool update commands. It offers two options: disabled and localuser.
Parameter Details:
- Name: –ssh-access
- Type: String
- Function: Configures SSH settings for all node pools in the cluster.
- Options: disabled (disables SSH access) and localuser (enables SSH access using a private key).
- Default: localuser.
Prerequisites
Before diving into this new feature, it’s important to understand the prerequisites:
- AKS-Preview extension installed with version 0.5.172 or higher.
- The
Microsoft.ContainerService
DisableSSHPreview
feature registered.
To begin, you need to register the DisableSSHPreview
feature flag. This can be done using the Azure CLI as follows:
- You can access Azure Cloud Shell by navigating to https://shell.azure.com or via the Azure portal.
- Execute the following command:
1 |
az feature register --namespace "Microsoft.ContainerService" --name "DisableSSHPreview" |
This command registers the feature flag with your Azure subscription. It can take a short while to finish.
- Confirm that the registration is complete by running:
1 |
az feature show --namespace "Microsoft.ContainerService" --name "DisableSSHPreview" |
Wait until the status shows ‘Registered’.
- After registration, refresh the Microsoft.ContainerService resource provider using:
1 |
az provider register --namespace Microsoft.ContainerService |
Now let’s look at the commands to disable SSH access.
Command Examples
Creating a New AKS Cluster:
1 |
az aks create --name MyCluster --resource-group MyResourceGroup --ssh-access disabled |
This command creates a new AKS cluster named ‘MyCluster’ in the ‘MyResourceGroup’ with SSH access disabled.
Updating an Existing AKS Cluster:
1 |
az aks update --name MyCluster --resource-group MyResourceGroup --ssh-access disabled |
This updates the AKS cluster called ‘MyCluster’ and disables SSH access.
Adding a New Node Pool:
1 |
az aks nodepool add --cluster-name MyCluster --resource-group MyResourceGroup --name MyNodePool --ssh-access disabled |
Adds a new node pool to ‘MyCluster’ cluster, with SSH access disabled.
Updating an Existing Node Pool:
1 |
az aks nodepool update --cluster-name MyCluster --resource-group MyResourceGroup --name MyNodePool --ssh-access disabled |
This updates the ‘MyNodePool’ node pool to disable SSH access.
When updating an existing node pool with this feature, you’ll receive a confirmation message: “You’re going to update agentpool {Node Pool Name} SSH access to ‘{Value}’. This change will take effect after you upgrade the node pool. Proceed?”
So, remember for it to be enabled, make sure you upgrade your node pool too.
Why This Matters
By default, SSH access in AKS is enabled as localuser, which might not align with all organizational security policies. This new feature brings flexibility and heightened security, allowing administrators to disable SSH access entirely or restrict it to a local user. Such control is crucial in scenarios where stringent security measures are paramount.
Conclusion
Microsoft’s AKS continues to evolve, offering more robust and secure options for Kubernetes management. The new SSH access control feature exemplifies this evolution, giving administrators better control over their cluster security. As always, ensure to follow the necessary prerequisites before implementing new features and make sure you don’t run this in production first.
0 Comments