ZiGMaX IT Blog

Hi!

Azure Kubernetes Service (AKS) clusters, regardless of whether they’re deployed in a managed or custom virtual network, require specific outbound dependencies to operate effectively. Previously, in environments where internet access had to be routed through HTTP proxies, this presented a challenge. Nodes lacked the means to bootstrap the essential configuration, environment variables, and certificates needed to connect to internet services.

With this newly introduced feature, AKS clusters now support HTTP proxies. This provides a user-friendly interface for cluster operators to manage network traffic required by AKS in environments dependent on proxies, ensuring a secure and smooth operation.

Example of Json HTTP Proxy Config File:

{
  "httpProxy": "string",
  "httpsProxy": "string",
  "noProxy": [
    "string"
  ],
  "trustedCa": "string"
}

Create a new AKS cluster with HTTP proxy configured on the nodes:

az aks create -n $clusterName -g $resourceGroup --http-proxy-config aks-proxy-config.json

Update an existing HTTP proxy:

az aks update -n $clusterName -g $resourceGroup --http-proxy-config aks-proxy-config-2.json

Note: ods must be rotated for the apps to pick it up. For components under kubernetes, like containerd and the node itself, this won’t take effect until a node image upgrade is performed.

The following scenarios are not supported:

Varied proxy configurations for each node pool
User/password authentication
Custom Certificate Authorities (CAs) for API server communication
Windows-based clusters
Node pools utilizing Virtual Machine Availability Sets (VMAS)
Employing ‘*’ as a wildcard appended to a domain suffix for noProxy

Additionally, it’s important to note that by default, both httpProxy and httpsProxy, as well as trustedCa, are unset.

Resource: https://learn.microsoft.com/en-us/azure/aks/http-proxy#updating-proxy-configurations

Maxime.

ZiGMaX IT Blog

AKS | Pentesting introduction

Webinar | Cloud Native Security & Kubernetes

AKS | HTTP Proxy Support