Ensure Kubernetes dashboard is disabled

Error: Kubernetes dashboard is not disabled

Bridgecrew Policy ID: BC_AZR_KUBERNETES_5
Checkov Check ID: CKV_AZURE_8
Severity: LOW

Kubernetes dashboard is not disabled

Description

The Terraform provider for Azure provides the capability to disable the Kubernetes dashboard on an AKS cluster. This is achieved by providing the Kubernetes dashboard as an AKS add-on like the Azure Monitor for containers integration, AKS virtual nodes, or HTTP application routing. The dashboard add-on is disabled by default for all new clusters created on Kubernetes 1.18 or greater.

In mid-2019 Tesla was hacked and their Kubernetes dashboard was open to the internet. Hackers browsed around and found credentials, eventually managing to deploy pods running bitcoin mining software.

We recommend you disable the Kubernetes dashboard to prevent the need to manage its individual access interface, eliminating it as an attack vector.

Fix - Runtime

CLI Command

az aks disable-addons -g myRG -n myAKScluster -a kube-dashboard 

Fix - Buildtime

Terraform

  • Resource: azurerm_kubernetes_cluster
  • Argument: kube_dashboard (required): Is the Kubernetes Dashboard enabled?
...
  addon_profile {
    kube_dashboard {
      enabled = false
    }
  }
...

ARM Templates

  • Resource: Microsoft.ContainerService/managedClusters
  • Argument: kubeDashboard
...
        "addonProfiles": {
          "kubeDashboard": {
            "enabled": false
          }
        },
...