Ensure that Kubernetes Role-Based Access Control (RBAC) is enabled for all Azure Kubernetes Service (AKS) clusters in order to achieve fine-grained control over AKS cluster resources. The Kubernetes Role-Based Access Control (RBAC) represents an efficient method of regulating access to Azure Kubernetes Service resources based on the roles of individual users or groups within an organization.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Microsoft Azure Kubernetes Service (AKS) has the capability to integrate Azure Active Directory (AD) users and groups into Kubernetes RBAC controls available for the AKS Kubernetes API server. This integration can be utilized to enable granular access to Kubernetes resources within the AKS clusters that support RBAC controls. Once Kubernetes Role-Based Access Control (RBAC) is enabled, you can safely access AKS clusters, as well as individual resources managed by Kubernetes inside these clusters.
Audit
To determine if Kubernetes Role-Based Access Control is enabled for your AKS clusters, perform the following actions:
Remediation / Resolution
Kubernetes Role-Based Access Control (RBAC) cannot be configured for existing Azure Kubernetes Service (AKS) clusters. To enable and configure RBAC for your AKS clusters, you have to re-create these clusters. To relaunch your AKS clusters with the required RBAC configuration, perform the following actions:
References
- Azure Official Documentation
- Integrate Azure Active Directory with Azure Kubernetes Service
- Control access to cluster resources using role-based access control and Azure Active Directory identities in Azure Kubernetes Service
- Service principals with Azure Kubernetes Service (AKS)
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az aks
- az aks list
- az aks show
- az aks create
- az ad sp
- az ad sp create-for-rbac
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Enable Kubernetes Role-Based Access Control
Risk level: Medium