Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0073

An AKS cluster's public API server puts the Kubernetes control plane on the internet

The default AKS deployment gives the Kubernetes API server a public endpoint with no IP restrictions. The API that can read every secret and exec into every pod is reachable from anywhere.

Footgun ID
AZF-0073 (Azure Footgun No. 73)
Azure service
Azure Kubernetes Service
Resource type
Microsoft.ContainerService/managedClusters
Updated
July 9, 2026

What it is

An AKS cluster whose Kubernetes API server has a public endpoint and no authorized IP ranges. The API server is the cluster's control plane: it can read every Secret, create workloads in every namespace, and exec into any pod. On a default AKS deployment that endpoint resolves publicly and accepts connections from any address on the internet, so authentication is the only thing between the world and cluster control.

Impact (security)
The cluster's admin API reachable from any internet address, with credentials as the only barrier
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Public is the AKS default. az aks create with no extra flags, the portal's standard path, and most quickstart templates all produce a cluster where apiServerAccessProfile is neither a private cluster nor restricted to known IP ranges. Everything works immediately, kubectl connects from anywhere, CI pipelines just work, which is exactly why nobody revisits it.

The private alternative has friction that keeps teams on the default: a private cluster changes how you reach the API (jump box, VPN, or peered network), and it is a creation-time decision, converting an existing public cluster to a private one means rebuilding it. The lighter control, authorizedIPRanges, can be applied to a running cluster at any time, but since the public endpoint works fine without it, it tends to stay empty.

What it costs / blast radius

The blast radius is control of the cluster and everything in it. An attacker who reaches the API server with any working credential (a leaked kubeconfig, a stolen service account token, a compromised CI secret) gets whatever that credential allows, up to full cluster admin: every Secret, every ConfigMap, exec into every pod, and a scheduling platform for whatever they want to run next. A public endpoint also means the API server itself is exposed to credential stuffing and to any future authentication or API-server CVE, from every address on the internet rather than from a short allow-list. (This is an exposure assessment of Azure's default behavior, not a measured breach statistic; your authentication and Kubernetes RBAC still stand in the way.)

See it

Footgun: the default profile — public API server, no IP restrictions
resource aks 'Microsoft.ContainerService/managedClusters@2024-05-01' = {
  name: 'prod-aks'
  location: location
  // ...identity and agentPoolProfiles omitted for brevity
  properties: {
    dnsPrefix: 'prod-aks'
    // apiServerAccessProfile left at its defaults:
    // not a private cluster, no authorizedIPRanges.
    // The control plane answers to the whole internet.
  }
}
Fix: make the cluster private, or at minimum restrict the API server to known IP ranges
resource aks 'Microsoft.ContainerService/managedClusters@2024-05-01' = {
  name: 'prod-aks'
  location: location
  // ...identity and agentPoolProfiles omitted for brevity
  properties: {
    dnsPrefix: 'prod-aks'
    apiServerAccessProfile: {
      enablePrivateCluster: true      // creation-time only; existing clusters need a rebuild
    }
    // Lighter fix for an existing cluster (applies in place):
    // apiServerAccessProfile: {
    //   authorizedIPRanges: ['203.0.113.0/24']   // office / VPN / CI egress only
    // }
  }
}

How StratoLens helps

StratoLens flags every AKS cluster whose API server is publicly reachable with no IP restrictions, automatically and continuously, across every subscription in your tenant. You see which clusters expose their control plane today and when that changed, instead of finding out during an incident.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.