Information disclosure from enabled Kubernetes Dashboard add-on in AKS cluster

Medium Risk infrastructure-security
azureakskubernetes-dashboardweb-interfaceinformation-disclosureattack-surfacecluster-security

What it is

Azure Kubernetes Service (AKS) clusters with the Kubernetes Dashboard add-on enabled introduce a privileged web interface that can expose cluster credentials, secrets, and sensitive information. The dashboard presents an additional attack surface that can be targeted for unauthorized access, privilege escalation, and cluster compromise.

# VULNERABLE: AKS with Kubernetes Dashboard enabled
resource "azurerm_kubernetes_cluster" "vulnerable_aks" {
  name                = "vulnerable-aks-cluster"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  dns_prefix          = "vulnerable-aks"
  
  default_node_pool {
    name       = "default"
    node_count = 2
    vm_size    = "Standard_B2s"
  }
  
  identity {
    type = "SystemAssigned"
  }
  
  # VULNERABLE: Kubernetes Dashboard enabled
  addon_profile {
    kube_dashboard {
      enabled = true  # Exposes web interface
    }
  }
  
  tags = {
    environment = "production"
  }
}
# SECURE: AKS without Kubernetes Dashboard
resource "azurerm_kubernetes_cluster" "secure_aks" {
  name                = "secure-aks-cluster"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  dns_prefix          = "secure-aks"
  
  # Security configurations
  local_account_disabled            = true
  role_based_access_control_enabled = true
  azure_policy_enabled              = true
  
  default_node_pool {
    name       = "system"
    node_count = 3
    vm_size    = "Standard_D4s_v3"
  }
  
  identity {
    type = "SystemAssigned"
  }
  
  # Azure AD integration
  azure_active_directory_role_based_access_control {
    managed                = true
    admin_group_object_ids = [azurerm_active_directory_group.aks_admins.object_id]
    azure_rbac_enabled     = true
  }
  
  # SECURE: Dashboard disabled
  addon_profile {
    kube_dashboard {
      enabled = false  # Dashboard disabled
    }
    
    # Secure monitoring instead
    oms_agent {
      enabled                    = true
      log_analytics_workspace_id = azurerm_log_analytics_workspace.aks.id
    }
  }
  
  tags = {
    environment = "production"
    security    = "hardened"
  }
}

💡 Why This Fix Works

The vulnerable configuration enables the Kubernetes Dashboard add-on by setting kube_dashboard.enabled to true, exposing a privileged web interface that can be targeted for unauthorized access and information disclosure. The secure version sets kube_dashboard.enabled to false (or omits it entirely), disabling the dashboard and removing this attack surface, replacing it with secure monitoring and Azure AD-integrated RBAC controls.

Why it happens

Azure Kubernetes Service clusters configured with the deprecated Kubernetes Dashboard add-on enabled. This legacy web interface has known security issues and has been deprecated in favor of more secure alternatives like Azure Portal or kubectl.

Root causes

Deprecated Dashboard Add-On Enabled

Azure Kubernetes Service clusters configured with the deprecated Kubernetes Dashboard add-on enabled. This legacy web interface has known security issues and has been deprecated in favor of more secure alternatives like Azure Portal or kubectl.

Insecure Default Configuration

The dashboard add-on is enabled with default configuration lacking proper authentication, authorization, and access controls. Without hardening, the web interface exposes cluster secrets and administrative capabilities to potential attackers.

Convenience Over Security

Organizations enable the dashboard for administrative convenience and visual cluster management without assessing security implications. Teams prioritize ease of use over the significant attack surface introduced by the web interface.

Absent Network Access Controls

Dashboard deployments lack network policies, service mesh restrictions, or ingress controls to limit access. The web interface is accessible from broader networks than necessary, increasing exposure to unauthorized access attempts.

Inadequate Add-On Security Review

AKS cluster configurations don't undergo thorough security reviews of enabled add-ons and their necessity. Teams enable multiple add-ons including the dashboard without understanding their security impact or evaluating alternatives.

Fixes

1

Disable Dashboard Add-On

Set enabled = false for the kube_dashboard within the addon_profile block of azurerm_kubernetes_cluster resources. This completely removes the deprecated Kubernetes Dashboard from your AKS cluster, eliminating its attack surface.

2

Remove Dashboard Configuration Block

Remove the entire kube_dashboard configuration block from Terraform AKS resources. By not configuring the dashboard add-on at all, you ensure it remains disabled and cannot be inadvertently enabled during cluster updates.

3

Use Secure Management Alternatives

Adopt secure Kubernetes management tools including kubectl (command-line), Azure Portal's AKS management interface, or Azure CLI. These tools provide equivalent functionality with better security controls, authentication, and audit logging.

4

Implement Network Policies if Required

If the dashboard must remain enabled temporarily, implement strict NetworkPolicies limiting access to specific source IPs or namespaces. Require authentication via Azure AD integration and implement RBAC restrictions on dashboard service accounts.

5

Deploy Modern Management Tools

Replace the deprecated dashboard with modern, security-focused Kubernetes management platforms like Lens, k9s, Octant, or purpose-built observability tools like Azure Monitor for Containers that integrate with Azure AD and RBAC.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure from enabled kubernetes dashboard add-on in aks cluster and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities