I'm using Kubernetes in Azure (ACS) and would like to know if it's possible to change the SSH port on the node VM's. I'd like to protect against brute-force attacks on the default SSH port (port 22) but I don't want to ruin any intra-cluster communication mechanisms. I would be happy to use acs-engine if that would make any difference.
Foremost, I agree 100% with JonahB that exposing the Nodes to the wild Internet is an unnecessary risk. I hesitate to even put this in an "answer" box, as it's far more like a dirty hack, but it was too many characters to fit in a comment; that said:
In theory, you could take advantage of the fact that with kubelet you have a remote-control API almost directly into the Linux kernel on those machines. A DaemonSet deployed into the cluster could volumeMount /var/lib/dbus and then use the systemd control socket to shutdown sshd.service, and then later either an update to the DS (or a separate one) could turn ssh back on for Nodes of your choosing if you did need to ssh in. Or volumeMount /etc/ssh, alter the config, then use that same control socket to restart sshd.service.
I have used a very similar trick to provision new systemd services on Nodes using a volumeMount and the go-systemd library; by coincidence, I happen to have a gist of the systemd daemon-reload part that I posted while answering a question similar to this one.