[Feature Request] Support for Service Tags in AKS API Server Authorization

[dhananjaya94]

This request is to support Azure Service Tags in AKS API Server Authorization.

• Azure DevOps + AKS provides a seamless CICD experience.
• AKS API server authorized IP ranges https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges, is feature introduced by AKS to improve cluster security and minimize attacks and to make the API server should only be accessible from a limited set of IP address ranges.
• There is no straight forward way to authorise the Azure DevOps CIDRs in AKS API since Azure DevOps IP ranges changes on weekly basis.
• When Azure DevOps service is used with AKS, the API Server authorization security feature becomes useless.
• Azure DevOps is currently in the process of supporting Service Tags in order to bring a better experience in allowing Azure DevOps service to other Azure services. https://devblogs.microsoft.com/devops/new-ip-address-ranges-with-service-tags-for-azure-devops-services/

[ghost]

Hi dhananjaya-senanayake, AKS bot here :wave: Thank you for posting on the AKS Repo, I'll do my best to get a kind human from the AKS team to assist you.

I might be just a bot, but I'm told my suggestions are normally quite good, as such: 1) If this case is urgent, please open a Support Request so that our 24/7 support team may help you faster. 2) Please abide by the AKS repo Guidelines and Code of Conduct. 3) If you're having an issue, could it be described on the AKS Troubleshooting guides or AKS Diagnostics? 4) Make sure your subscribed to the AKS Release Notes to keep up to date with all that's new on AKS. 5) Make sure there isn't a duplicate of this issue already reported. If there is, feel free to close this one and '+1' the existing issue. 6) If you have a question, do take a look at our AKS FAQ. We place the most common ones there!

[palma21]

@aanandr @jluk

[ghost]

Action required from @Azure/aks-pm

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Action required from @Azure/aks-pm

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[fillip1983]

This issue has been live for 18 months now and it doesn't seem like anything has been done to even start looking at the issue. The only workarounds for this are:

• to add ALL of the IP ranges designated to the AzureCloud.REGION from where you run DevOps, and in our case that means over 240 IPv4 addresses (West Europe), but AKS has a maximum of 200 authorized IP ranges
• to run a script within any ADO pipeline job that needs to talk to AKS that will add the current IP of the agent executing the job to the authorized list, but this stops us from running those jobs in parallel since only one update on the AKS cluster can take place at a time. To run all those jobs sequentially instead, with the added delay of updating AKS, would make our deployments unnecessarily long and tedious.
• use private ADO agents on a VNET that is able to talk to a Private AKS cluster IP, and therefore all the additional hassle of managing those extra resources

[miwithro]

@qpetraroia to look into to.

[ericsuhong]

@miwithro @qpetraroia Any update on this feature request?

Our pain point: We had a requirement to lock down our cluster from public. Because service tags are not supported at the control plane, the only choice we had was to use private AKS cluster with a proxy bastion solution (with NSG to use service tags to block traffic).

If service tags were supported for a public AKS cluster, we could have removed all these additional hassle and simply whitelist using service tags instead.

[rsgel]

Checking in on this feature request as well -- any updates? Several Azure Chaos Studio customers have asked about this functionality so they can more easily allowlist Chaos Studio IPs within their cluster.

[rseso]

Doubling on what Rigel commented above. Not being able to use service tags is heavily impacting the adoption of the Azure Chaos Studio. Please prioritize this asap.