Logo of Trend Micro

Enable RBAC Authorization for ACK Clusters

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-ACK-003

Ensure that Kubernetes Role-Based Access Control (RBAC) authorization is enabled for all ACK clusters in order to achieve fine-grained control over ACK cluster resources. The Kubernetes Role-Based Access Control (RBAC) represents an efficient method of regulating access to ACK cluster resources based on the roles of individual users or groups within an organization.

Security

In Kubernetes, Role-Based Access Control (RBAC) authorization is used to grant permissions to resources at the cluster and namespace level. RBAC enables you to delineate roles featuring sets of permissions, and those roles are then assigned to subaccounts, restricting their access to only the specified resources within the cluster or namespaces as dictated by the RBAC policies. In Container Service for Kubernetes (ACK), it is important to deactivate the legacy authorizer and use RBAC authorization instead. As Role-Based Access Control (RBAC) offers notable security benefits, it is strongly recommended to enable RBAC authorization for your ACK clusters.

Audit

To determine if RBAC authorization is enabled for your ACK clusters, perform the following operations:

Getting RBAC authorization information via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to examine, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under Security, choose Authorization.

06 To check RBAC permissions for RAM users, select the RAM Users tab, choose the user that you want to examine, and select Modify Permissions. If there are no permissions defined in the Add Permissions section, the selected RAM user does not have RBAC permissions on your ACK cluster. Repeat this step for each RAM user listed on the RAM Users panel.

07 To check RBAC permissions for RAM roles, select the RAM Roles tab, paste the name of the role that you want to examine into the RAM Role Name box, and select Modify Permissions. If there are no permissions defined in the Add Permissions section, the selected RAM role does not have RBAC permissions on your ACK cluster. Repeat this step for each RAM role that you want to examine.

08 According to the findings collected in steps 6 and 7, if there are no RAM identities (users and roles) configured with RBAC permissions, RBAC authorization is not enabled for the selected ACK cluster.

09 Repeat steps no. 4 – 8 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

Remediation / Resolution

To enable RBAC authorization for your ACK clusters by granting appropriate RBAC permissions to RAM users or RAM roles, perform the following operations:

Enabling RBAC authorization for ACK clusters via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to examine, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under Security, choose Authorization.

06 To grant RBAC permissions to RAM users, select the RAM Users tab, choose the user that you want to configure, select Modify Permissions, and perform the following actions:

  1. Choose + Add Permissions to add RBAC permissions.
  2. Select your ACK cluster from the Clusters dropdown list. If you want to authorize a RAM user/role to manage all ACK clusters, select All Clusters from Clusters when you assign a predefined role to the RAM user or role.
  3. Select the cluster namespace from the Namespace dropdown list. To apply the RBAC permissions to all namespaces, choose All Namespaces.
  4. Choose the right role from the Permission Management dropdown list. Container Service for Kubernetes (ACK) provides 4 predefined roles: Administrator, O&M Engineer, Developer, and Restricted User. You can use these roles to regulate access to resources in the ACK console in most scenarios. To provide more granular control over permissions, ACK allows you to use custom roles in addition to the predefined roles. You can add one predefined role and multiple custom roles of a cluster or namespace to a RAM user.
  5. Choose Submit to apply the permission changes and enable RBAC authorization using RAM users.

07 To grant RBAC permissions to RAM roles, select the RAM Roles tab, paste the name of the role that you want to configure into the RAM Role Name box, select Modify Permissions, and perform the following actions:

  1. Choose + Add Permissions to add RBAC permissions.
  2. Select your ACK cluster from the Clusters dropdown list. If you want to authorize a RAM user/role to manage all ACK clusters, select All Clusters from Clusters when you assign a predefined role to the RAM user or role.
  3. Select the cluster namespace from the Namespace dropdown list. To apply the RBAC permissions to all namespaces, choose All Namespaces.
  4. Choose the right role from the Permission Management dropdown list. ACK provides 4 predefined roles: Administrator, O&M Engineer, Developer, and Restricted User. You can use these roles to regulate access to resources in the ACK console in most scenarios. To provide more granular control over permissions, ACK allows you to use custom roles in addition to the predefined roles. You can add one predefined role and multiple custom roles of a cluster or namespace to a RAM role.
  5. Choose Submit to apply the permission changes and enable RBAC authorization using RAM roles.

08 Repeat steps no. 4 – 7 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

References

Publication date Feb 22, 2024

Related AlibabaCloud-ACK rules