Restrict access to the API server using IP firewall
Info
ID: MS-M9002
MITRE mitigation: M1035
Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster. In managed clusters, cloud providers often support native built-in firewall which can restrict the IP addresses that are allowed to access the API server.
Techniques Addressed by Mitigation
| ID | Name | Use |
|---|---|---|
| MS-TA9001 | Using cloud credentials | Restrict access of cloud accounts to API server from trusted IP addresses only |
| MS-TA9003 | Kubeconfig file | Restrict access to the API server from known IP addresses |
| MS-TA9024 | Connect from proxy server | Restrict access to the API server from known IP addresses |
| MS-TA9029 | Access Kubernetes API server | Restrict access to the API server from known IP addresses |
| MS-TA9040 | Denial of service | Restrict access to the API server from known IP addresses |