Azure Kubernetes Service instances should have RBAC enabled

Description

Azure Kubernetes Services has the capability to integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. This should be utilized to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls not just of the overarching AKS instance but also the individual resources managed within Kubernetes.

Remediation Steps

Azure Portal

Note: You need to create a new AKS cluster to enable RBAC

• Before you begin, you need to create an Azure AD group. See Azure AD authentication overview for more information.

• Navigate to Kubernetes services.

• Click Create > Create a Kubernetes cluster.

• Select your Subscription from the drop-down.

• Select to either create a new resource group or select an existing resource group.

• Enter a Kubernetes cluster name.

• Select a Region from the drop-down.

• Select the Availability zone from the drop-down.

• Select the Kubernetes version from the drop-down.

• Select the Node size.

• Select the Scale method.

• Select the Node count.

• Click Next: Node Pools.

• Keep the default Node pool options and click Next: Authentication.

• In Authentication method, select System-assigned managed identity.

• In Role-based access control (RBAC), select Enabled.

• Check the AKS-managed Azure Active Directory checkbox.

• In Admin Azure AD groups, select Add Azure AD group as administrators on this cluster.

  • Select an existing Azure AD group.

• Click Review + create > Create.

Azure CLI

Note: You need to create a new AKS cluster to enable RBAC

• Before you begin, you need to create an Azure AD group. See Azure AD authentication overview for more information.

• Create an AKS cluster with Azure AD enabled.

az group create --name [myResourceGroup] --location [centralus]

• Create an AKS cluster, and enable administration access for your Azure AD group

az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac

Azure Resource Manager

• Ensure that a Microsoft.ContainerService/managedClusters resource contains the following:

{
  "properties": {
    "enableRBAC": true
  }
}

Example Configuration

{
  "type": "Microsoft.ContainerService/managedClusters",
  "apiVersion": "2021-09-01",
  "properties": {
    "enableRBAC": true
  }
  # other required fields here
}

Terraform

• Ensure that an azurerm_kubernetes_cluster contains the following:

  • role_based_access_control.enabled = true

Example Configuration

resource "azurerm_kubernetes_cluster" "example" {
  role_based_access_control {
    enabled = true
  }

  # other required fields here
}

Documentation Links

Runtime

• Use Azure RBAC for Kubernetes Authorization

• Create a new cluster using Azure RBAC and managed Azure AD integration

• Azure AD authentication overview

• Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal

Azure Resource Manager

• Microsoft.Network/ContainerService/managedClusters

Terraform

• Resource: azurerm_kubernetes_cluster

  • Field: role_based_access_control

  • Field: enabled

• Create a new cluster using Azure RBAC and managed Azure AD integration

• Azure AD authentication overview

• Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal

• Use managed identities in Azure Kubernetes Service