Reading Time: 3 minutes
Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

In the ever-evolving landscape of cloud computing and Kubernetes management, Microsoft’s Azure Kubernetes Service (AKS) continuously introduces features to bolster security and ease of management. A significant new feature now in preview is the ability to control SSH access to AKS cluster nodes, providing administrators with enhanced security capabilities. This blog post will delve into the details of this new feature, its prerequisites, and how to implement it.

Understanding the New SSH Access Control Feature

The introduction of the –ssh-access parameter marks a substantial step forward in managing AKS clusters. This parameter is now part of the az aks create, az aks update, az aks nodepool add, and az aks nodepool update commands. It offers two options: disabled and localuser.

Parameter Details:

  • Name: –ssh-access
  • Type: String
  • Function: Configures SSH settings for all node pools in the cluster.
  • Options: disabled (disables SSH access) and localuser (enables SSH access using a private key).
  • Default: localuser.

Prerequisites

Before diving into this new feature, it’s important to understand the prerequisites:

  • AKS-Preview extension installed with version 0.5.172 or higher.
  • The Microsoft.ContainerService DisableSSHPreview feature registered.

To begin, you need to register the DisableSSHPreview feature flag. This can be done using the Azure CLI as follows:

  1. You can access Azure Cloud Shell by navigating to https://shell.azure.com or via the Azure portal.
  2. Execute the following command:

This command registers the feature flag with your Azure subscription. It can take a short while to finish.

  1. Confirm that the registration is complete by running:

Wait until the status shows ‘Registered’.

  1. After registration, refresh the Microsoft.ContainerService resource provider using:

Now let’s look at the commands to disable SSH access.

Command Examples

Creating a New AKS Cluster:

This command creates a new AKS cluster named ‘MyCluster’ in the ‘MyResourceGroup’ with SSH access disabled.

Updating an Existing AKS Cluster:

This updates the AKS cluster called ‘MyCluster’ and disables SSH access.

Adding a New Node Pool:

Adds a new node pool to ‘MyCluster’ cluster, with SSH access disabled.

Updating an Existing Node Pool:

This updates the ‘MyNodePool’ node pool to disable SSH access.

When updating an existing node pool with this feature, you’ll receive a confirmation message: “You’re going to update agentpool {Node Pool Name} SSH access to ‘{Value}’. This change will take effect after you upgrade the node pool. Proceed?”

So, remember for it to be enabled, make sure you upgrade your node pool too.

Why This Matters

By default, SSH access in AKS is enabled as localuser, which might not align with all organizational security policies. This new feature brings flexibility and heightened security, allowing administrators to disable SSH access entirely or restrict it to a local user. Such control is crucial in scenarios where stringent security measures are paramount.

Conclusion

Microsoft’s AKS continues to evolve, offering more robust and secure options for Kubernetes management. The new SSH access control feature exemplifies this evolution, giving administrators better control over their cluster security. As always, ensure to follow the necessary prerequisites before implementing new features and make sure you don’t run this in production first.

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *