使用 Azure Kubernetes 服务 (AKS) 中的已授权 IP 地址范围保护对 API 服务器的访问Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)

在 Kubernetes 中,API 服务器接收在群集中执行操作的请求,例如,创建资源或缩放节点数目。In Kubernetes, the API server receives requests to perform actions in the cluster such as to create resources or scale the number of nodes. API 服务器是与群集交互和管理群集的中心位置。The API server is the central way to interact with and manage a cluster. 为了提高群集安全性并尽量减少遭到的攻击,只应从有限的一组 IP 地址范围访问 API 服务器。To improve cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges.

本文介绍如何使用 API 服务器已授权 IP 地址范围来限制哪些 IP 地址和 CIDR 可以访问控制平面。This article shows you how to use API server authorized IP address ranges to limit which IP addresses and CIDRs can access control plane.

重要

在新的群集上,仅支持在标准 SKU 负载均衡器中使用 API 服务器已授权 IP 地址范围。On new clusters, API server authorized IP address ranges are only supported on the Standard SKU load balancer. 配置了基本 SKU 负载均衡器和 API 服务器已授权 IP 地址范围的现有群集将继续按原有方式工作,但不能迁移到标准 SKU 负载均衡器 。Existing clusters with the Basic SKU load balancer and API server authorized IP address ranges configured will continue work as is but cannot be migrated to a Standard SKU load balancer. 即使 Kubernetes 版本或控制平面升级后,这些现有群集也会继续工作。Those existing clusters will also continue to work if their Kubernetes version or control plane are upgraded.

准备阶段Before you begin

本文介绍如何使用 Azure CLI 创建 AKS 群集。This article shows you how to create an AKS cluster using the Azure CLI.

需要安装并配置 Azure CLI 2.0.76 或更高版本。You need the Azure CLI version 2.0.76 or later installed and configured. 运行  az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅 安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

API 服务器已授权 IP 范围的概述Overview of API server authorized IP ranges

Kubernetes API 服务器用于公开基础 Kubernetes API。The Kubernetes API server is how the underlying Kubernetes APIs are exposed. 此组件为管理工具(如 kubectl 或 Kubernetes 仪表板)提供交互。This component provides the interaction for management tools, such as kubectl or the Kubernetes dashboard. AKS 为单租户群集主机提供专用的 API 服务器。AKS provides a single-tenant cluster master, with a dedicated API server. 默认将为 API 服务器分配一个公共 IP 地址,你应使用基于角色的访问控制 (RBAC) 来控制访问。By default, the API server is assigned a public IP address, and you should control access using role-based access controls (RBAC).

若要保护对其他可公开访问的 AKS 控制平面/API 服务器的访问,可以启用并使用已授权 IP 范围。To secure access to the otherwise publicly accessible AKS control plane / API server, you can enable and use authorized IP ranges. 这些已授权 IP 范围仅允许定义的 IP 地址范围与 API 服务器通信。These authorized IP ranges only allow defined IP address ranges to communicate with the API server. 从不属于这些授权 IP 范围的 IP 地址向 API 服务器发出的请求被阻止。A request made to the API server from an IP address that isn't part of these authorized IP ranges is blocked. 请继续使用 RBAC 来授权用户及其请求的操作。Continue to use RBAC to authorize users and the actions they request.

有关 API 服务器和其他群集组件的详细信息,请参阅 AKS 的 Kubernetes 核心概念For more information about the API server and other cluster components, see Kubernetes core concepts for AKS.

创建启用 API 服务器已授权 IP 范围的 AKS 群集Create an AKS cluster with API server authorized IP ranges enabled

API 服务器授权的 IP 范围仅适用于新的 AKS 群集,不支持专用 AKS 群集。API server authorized IP ranges only work for new AKS clusters and aren't supported for private AKS clusters. 使用 az aks create 创建群集,并指定 --api-server-authorized-ip-ranges 参数提供已授权 IP 地址范围的列表。Create a cluster using the az aks create and specify the --api-server-authorized-ip-ranges parameter to provide a list of authorized IP address ranges. 这些 IP 地址范围通常是本地网络或公共 IP 使用的地址范围。These IP address ranges are usually address ranges used by your on-premises networks or public IPs. 指定 CIDR 范围时,请先指定该范围内的第一个 IP 地址。When you specify a CIDR range, start with the first IP address in the range. 例如,137.117.106.90/29 是有效范围,但请确保指定该范围内的第一个 IP 地址,如 137.117.106.88/29For example, 137.117.106.90/29 is a valid range, but make sure you specify the first IP address in the range, such as 137.117.106.88/29.

重要

群集默认使用可用于配置出站网关的标准 SKU 负载均衡器By default, your cluster uses the Standard SKU load balancer which you can use to configure the outbound gateway. 在创建群集期间启用 API 服务器已授权 IP 范围时,除了允许指定的范围以外,默认还允许群集的公共 IP。When you enable API server authorized IP ranges during cluster creation, the public IP for your cluster is also allowed by default in addition to the ranges you specify. 对于 --api-server-authorized-ip-ranges,如果指定 "" 或不指定任何值,API 服务器授权的 IP 范围被禁用。If you specify "" or no value for --api-server-authorized-ip-ranges, API server authorized IP ranges will be disabled. 请注意,如果使用的是 PowerShell,请使用 --api-server-authorized-ip-ranges=""(带等于号)来避免任何解析问题。Note that if you're using PowerShell, use --api-server-authorized-ip-ranges="" (with equals sign) to avoid any parsing issues.

以下示例在名为 myResourceGroup 的资源组中,创建名为 myAKSCluster、已启用 API 服务器已授权 IP 范围的单节点群集。The following example creates a single-node cluster named myAKSCluster in the resource group named myResourceGroup with API server authorized IP ranges enabled. 允许的 IP 地址范围为 73.140.245.0/24The IP address ranges allowed are 73.140.245.0/24:

az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --node-count 1 \
    --vm-set-type VirtualMachineScaleSets \
    --load-balancer-sku standard \
    --api-server-authorized-ip-ranges 73.140.245.0/24 \
    --generate-ssh-keys

备注

应将以下范围添加到允许列表:You should add these ranges to an allow list:

  • 防火墙公共 IP 地址The firewall public IP address
  • 代表你要从中管理群集的网络的任何范围Any range that represents networks that you'll administer the cluster from

可指定的 IP 范围数的上限为 3500。The upper limit for the number of IP ranges you can specify is 3500.

指定标准 SKU 负载均衡器的出站 IPSpecify the outbound IPs for the Standard SKU load balancer

创建 AKS 群集时,如果为群集指定出站 IP 地址或前缀,则也会允许这些地址或前缀。When creating an AKS cluster, if you specify the outbound IP addresses or prefixes for the cluster, those addresses or prefixes are allowed as well. 例如:For example:

az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --node-count 1 \
    --vm-set-type VirtualMachineScaleSets \
    --load-balancer-sku standard \
    --api-server-authorized-ip-ranges 73.140.245.0/24 \
    --load-balancer-outbound-ips <publicIpId1>,<publicIpId2> \
    --generate-ssh-keys

在上面的示例中,允许参数 --load-balancer-outbound-ip-prefixes 中提供的所有 IP 以及 --api-server-authorized-ip-ranges 参数中的 IP。In the above example, all IPs provided in the parameter --load-balancer-outbound-ip-prefixes are allowed along with the IPs in the --api-server-authorized-ip-ranges parameter.

或者,可以指定 --load-balancer-outbound-ip-prefixes 参数以允许出站负载均衡器 IP 前缀。Alternatively, you can specify the --load-balancer-outbound-ip-prefixes parameter to allow outbound load balancer IP prefixes.

仅允许标准 SKU 负载均衡器的出站公共 IPAllow only the outbound public IP of the Standard SKU load balancer

在创建群集期间启用 API 服务器已授权 IP 范围时,除了允许指定的范围以外,默认还允许群集的标准 SKU 负载均衡器的出站公共 IP。When you enable API server authorized IP ranges during cluster creation, the outbound public IP for the Standard SKU load balancer for your cluster is also allowed by default in addition to the ranges you specify. 若要仅允许标准 SKU 负载均衡器的出站公共 IP,请在指定 --api-server-authorized-ip-ranges 参数时使用 0.0.0.0/32。To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32 when specifying the --api-server-authorized-ip-ranges parameter.

在以下示例中,仅允许标准 SKU 负载均衡器的出站公共 IP,你只能从群集中的节点访问 API 服务器。In the following example, only the outbound public IP of the Standard SKU load balancer is allowed, and you can only access the API server from the nodes within the cluster.

az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --node-count 1 \
    --vm-set-type VirtualMachineScaleSets \
    --load-balancer-sku standard \
    --api-server-authorized-ip-ranges 0.0.0.0/32 \
    --generate-ssh-keys

更新群集的 API 服务器已授权 IP 范围Update a cluster's API server authorized IP ranges

要在现有群集上更新 API 服务器授权的 IP 范围,请使用 az aks update 命令并使用 --api-server-authorized-ip-ranges、--load-balancer-outbound-ip-prefixes --load-balancer-outbound-ips 或 --load-balancer-outbound-ip-prefixes 参数。To update the API server authorized IP ranges on an existing cluster, use az aks update command and use the --api-server-authorized-ip-ranges,--load-balancer-outbound-ip-prefixes , --load-balancer-outbound-ips, or--load-balancer-outbound-ip-prefixes parameters.

以下示例更新名为 myResourceGroup 的资源组中名为 myAKSCluster 的群集上的 API 服务器已授权 IP 范围。The following example updates API server authorized IP ranges on the cluster named myAKSCluster in the resource group named myResourceGroup. 要授权的 IP 地址范围为 73.140.245.0/24The IP address range to authorize is 73.140.245.0/24:

az aks update \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --api-server-authorized-ip-ranges  73.140.245.0/24

在指定 --api-server-authorized-ip-ranges 参数以仅允许标准 SKU 负载平衡器的公共 IP 时,你也可以使用 0.0.0.0/32 。You can also use 0.0.0.0/32 when specifying the --api-server-authorized-ip-ranges parameter to allow only the public IP of the Standard SKU load balancer.

禁用已授权 IP 范围Disable authorized IP ranges

若要禁用 API 服务器已授权 IP 范围,请使用 az aks update 并指定一个空范围。To disable authorized IP ranges, use az aks update and specify an empty range to disable API server authorized IP ranges. 例如:For example:

az aks update \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --api-server-authorized-ip-ranges ""

后续步骤Next steps

在本文中,你启用了 API 服务器已授权 IP 范围。In this article, you enabled API server authorized IP ranges. 这是运行安全 AKS 群集的方法之一。This approach is one part of how you can run a secure AKS cluster.

有关详细信息,请参阅 AKS 中应用程序和群集的 安全性概念以及有关 AKS 中群集安全性和升级的最佳做法For more information, see Security concepts for applications and clusters in AKS and Best practices for cluster security and upgrades in AKS.