Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Microsoft Entra ID Integration with Kubernetes RBAC

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Azure Kubernetes Service (AKS) clusters are configured to use Microsoft Entra ID for authentication and Kubernetes Role-Based Access Control (Kubernetes native RBAC) for authorization. This allows secure, centralized identity management and fine-grained access control, reducing security risks and enabling better governance.

Security
Operational
excellence

Interacting with the API server is essential for managing an Elastic Kubernetes Service (EKS) cluster. It is crucial to secure access to the API server and restrict it to authorized users only. Enabling Microsoft Entra ID with Kubernetes RBAC for an EKS cluster streamlines identity and access management by leveraging AAD's centralized authentication and RBAC capabilities. This type of integration enhances security, simplifies user management, and allows for consistent identity controls across both platforms, improving overall operational efficiency and reducing the complexity of managing access to the EKS cluster.

Audit

To determine if Microsoft Entra ID integration with Kubernetes RBAC is enabled for your AKS clusters, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.

05 Click on the name (link) of the AKS cluster that you want to examine.

06 In the resource navigation panel, under Settings, select Cluster configuration to access the configuration settings available for the selected AKS cluster.

07 In the Authentication and Authorization section, check the configuration option selected from the Authentication and Authorization dropdown list. If the selected option is not Microsoft Entra ID authentication with Kubernetes RBAC, Microsoft Entra ID integration with Kubernetes RBAC is not enabled for the selected Azure AKS cluster.

08 Repeat steps no. 5 – 7 for each AKS cluster provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription: 

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AKS cluster names: 

Name                     ResourceGroup
----------------------   ------------------------------
cc-project5-aks-cluster  cloud-shell-storage-westeurope
cc-data-mining-cluster   cloud-shell-storage-westeurope

06 Run aks show command (Windows/macOS/Linux) with the name of the AKS cluster that you want to examine (and the associated resource group) as identifier parameters, to describe the Microsoft Entra ID integration profile available for the selected AKS cluster: 

az aks show
  --name cc-project5-aks-cluster
  --resource-group cloud-shell-storage-westeurope
  --query '{aadProfile:aadProfile}'

07 The command output should return the requested Microsoft Entra ID information: 

{
	"aadProfile": null
}

If the aks show command output returns null for the "aadProfile" attribute, Microsoft Entra ID integration with Kubernetes RBAC is not enabled for the selected Azure AKS cluster.

08 Repeat steps no. 6 and 7 for each AKS cluster available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Microsoft Entra ID integration with Kubernetes RBAC for your Azure Kubernetes Service (AKS) clusters, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.

05 Click on the name (link) of the AKS cluster that you want to configure.

06 In the resource navigation panel, under Settings, select Cluster configuration to access the configuration settings available for the selected AKS cluster.

07 In the Authentication and Authorization section, perform the following actions:

  1. Select Microsoft Entra ID authentication with Kubernetes RBAC from the Authentication and Authorization dropdown list to enable Microsoft Entra ID for authentication and Kubernetes native RBAC for authorization.
  2. For Cluster admin ClusterRoleBinding, click on the Choose Microsoft Entra group (link), and select the group(s) of users that will have administrative access to your Azure AKS cluster.

08 Choose Apply to apply the configuration changes.

09 Repeat steps no. 5 – 8 for each AKS cluster that you want to configure, available in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks update command (OSX/Linux/UNIX) with the name of the cluster that you want to configure as the identifier parameter, to enable Microsoft Entra ID integration with Kubernetes RBAC for the selected Azure Kubernetes Service (AKS) cluster. Replace \<admin-group-id\> with the ID of the Microsoft Entra ID group that you want to grant admin access: 

az aks update
  --name cc-project5-aks-cluster
  --resource-group cloud-shell-storage-westeurope
  --enable-aad
  --aad-admin-group-object-ids <admin-group-id>

05 Once the update process is completed, the command output should return the information available for the modified AKS cluster: 

{
	"aadProfile": {
		"adminGroupObjectIDs": [
			"1234abcd-abcd-1234-abcd-abcd1234abcd"
		],
		"adminUsers": null,
		"clientAppId": null,
		"enableAzureRbac": null,
		"managed": true,
		"serverAppId": null,
		"serverAppSecret": null,
		"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234"
	},

	...

	"identity": {
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
		"type": "SystemAssigned",
		"userAssignedIdentities": null
	},
	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"tags": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"windowsProfile": null,
	"workloadAutoScalerProfile": {
		"keda": null
	}
}

06 Repeat steps no. 4 and 5 for each AKS cluster that you want to configure, available within the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 8, 2023

Related AKS rules