Enable role-based access control (RBAC) within Azure Kubernetes Services

The ability to manage RBAC for Kubernetes resources from Azure gives you the choice to manage RBAC for the cluster resources either using Azure or native Kubernetes mechanisms. When enabled, Azure AD principals will be validated exclusively by Azure RBAC while regular Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC.

Risk Level: Low
Cloud Entity: Azure AKS
CloudGuard Rule ID: D9.AZU.AKS.08
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

AksCluster should have properties.enableRBAC=true

REMEDIATION

From Portal

  1. Go to 'Kubernetes services'.
  2. Create new Kubernetes cluster with the required details.
  3. Under 'Access' select preferred RBAC options for 'Authentication and Authorization'.
  4. Create the cluster.

From TF
Set the role_based_access_control_enabled to true:

resource "azurerm_kubernetes_cluster" "example" {
	...
	role_based_access_control_enabled = true
	...
}

From Command Line
To add additional worker nodes to your cluster pool, run:

az aks create --resource-group RESOURCEGROUP --name CLUSTERNAME --enable-aad --enable-azure-rbac

References

  1. https://learn.microsoft.com/en-us/azure/aks/concepts-identity
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#azure_active_directory_role_based_access_control
  3. https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac

Azure AKS

AKS is an open-source fully managed container orchestration service that became available in June 2018 and is available on the Microsoft Azure public cloud that can be used to deploy, scale and manage Docker containers and container-based applications in a cluster environment.

Compliance Frameworks

  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset