Measures

In a productive environment, the number of required NodePort services is known. Therefore, the range of ports can be limited accordingly. It is therefore not possible for an attacker to deploy additional NodePorts services for the time being.

For this purpose, the flag "--service-node-port-range" must be adjusted in the API config. 

In Azure, services are carried to the outside via a load balancer. Therefore, nothing can be done here.