Azure Kubernetes Service instances should have RBAC enabled

Description

Azure Kubernetes Services has the capability to integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. This should be utilized to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls not just of the overarching AKS instance but also the individual resources managed within Kubernetes.

Remediation Steps

Azure Portal

Note: You need to create a new AKS cluster to enable RBAC

  • Before you begin, you need to create an Azure AD group. See Azure AD authentication overview for more information.

  • Navigate to Kubernetes services.

  • Click Create > Create a Kubernetes cluster.

  • Select your Subscription from the drop-down.

  • Select to either create a new resource group or select an existing resource group.

  • Enter a Kubernetes cluster name.

  • Select a Region from the drop-down.

  • Select the Availability zone from the drop-down.

  • Select the Kubernetes version from the drop-down.

  • Select the Node size.

  • Select the Scale method.

  • Select the Node count.

  • Click Next: Node Pools.

  • Keep the default Node pool options and click Next: Authentication.

  • In Authentication method, select System-assigned managed identity.

  • In Role-based access control (RBAC), select Enabled.

  • Check the AKS-managed Azure Active Directory checkbox.

  • In Admin Azure AD groups, select Add Azure AD group as administrators on this cluster.

    • Select an existing Azure AD group.

  • Click Review + create > Create.

Azure CLI

Note: You need to create a new AKS cluster to enable RBAC

  • Before you begin, you need to create an Azure AD group. See Azure AD authentication overview for more information.

  • Create an AKS cluster with Azure AD enabled.

az group create --name [myResourceGroup] --location [centralus]
  • Create an AKS cluster, and enable administration access for your Azure AD group

az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac

Terraform

Example Configuration

resource "azurerm_kubernetes_cluster" "example" {
  role_based_access_control {
    enabled = true
  }

  # other required fields here
}