Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Control Access to AKS Cluster Configuration File

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Use Azure Role-Based Access Control (RBAC) to control access to the Azure Kubernetes Service (AKS) cluster configuration file and prevent unauthorized users from controlling the cluster. This helps protect against security breaches, data exposure, and disruptions to critical workloads. Azure RBAC allows you to control who can retrieve the cluster configuration file (i.e. kubeconfig) and what permissions they have within the cluster. You can assign two Azure roles to Microsoft Entra users or groups for this purpose: Azure Kubernetes Service Cluster Admin Role and Azure Kubernetes Service Cluster User Role.

Security
Operational
excellence

Protecting kubeconfig is essential for security. The kubeconfig file contains credentials and connection details that allow users to interact with the Kubernetes cluster. If unauthorized individuals gain access, they could manipulate or compromise the cluster, leading to data breaches or disruptions. By using Azure Role-Based Access Control (RBAC), organizations can control who can access the kubeconfig file and what permissions they have, ensuring that only authorized users can interact with the cluster securely.

Audit

To determine if the access to your AKS cluster configuration file is controlled using Azure RBAC, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.

05 Click on the name (link) of the AKS cluster that you want to examine.

06 In the resource navigation panel, choose Access control (IAM), select the Role assigments tab, and choose All.

07 Click inside the Scope: All scopes filter box, choose This resource to list only the role assignments available for the selected AKS cluster.

08 Click inside the Role filter box, type Azure Kubernetes Service Cluster Admin Role, and press Enter. If no results were found, there is no Azure Kubernetes Service Cluster Admin Role role assignment created for the cluster. Similarly, repeat this step for the Azure Kubernetes Service Cluster User Role role assignment. If no role assigments using Azure Kubernetes Service Cluster Admin Role or Azure Kubernetes Service Cluster User Role were found, the access to your AKS cluster configuration file is not controlled using Azure RBAC.

09 Repeat steps no. 5 – 8 for each AKS cluster provisioned in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the ID of each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription: 

az aks list
  --query '[*].id'

05 The command output should return the requested AKS cluster IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-data-mining-cluster",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-project5-aks-cluster",
]

06 Run role assignment list command (Windows/macOS/Linux) with the ID of the AKS cluster that you want to examine as the identifier parameter, to list the name of each role assigned to the selected cluster: 

az role assignment list
  --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-data-mining-cluster"
  --output table
  --query '[*].roleDefinitionName'

07 The command output should return the requested role names: 

Result
-------------------------------------------
Monitoring Contributor
Log Analytics Contributor
Azure Kubernetes Service RBAC Cluster Admin

If Azure Kubernetes Service Cluster Admin Role or Azure Kubernetes Service Cluster User Role is not listed in the Result table returned by the role assignment list command output, there are no role assigments using Azure Kubernetes Service Cluster Admin Role or Azure Kubernetes Service Cluster User Role. Therefore, access to your AKS cluster configuration file is not controlled using Azure RBAC.

08 Repeat steps no. 6 and 7 for each AKS cluster provisioned within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that access to your Azure Kubernetes Service (AKS) cluster configuration file is controlled using Azure RBAC, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.

05 Click on the name (link) of the AKS cluster that you want to configure.

06 In the resource navigation panel, select Access control (IAM), choose Add, select Add role assigment, and perform the following actions to assign Azure roles that limit who can get the configuration information for your AKS cluster:

  1. For Role, select Job function roles, find and select Azure Kubernetes Service Cluster Admin Role or Azure Kubernetes Service Cluster User Role, depending on your access requirements, and choose Next to continue the assignment process.
  2. For Members, select User, group, or service principal next to Assign access to, choose Select members next to Members, and select the Microsoft Entra user or group to whom you want to assign the role. Choose Review + assign to continue.
  3. For Review + assign, review the role assigment information, then choose Review + assign to complete the assignment process.

07 Repeat steps no. 5 and 6 for each AKS cluster that you want to configure, available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 To assign Azure roles that limit who can get the configuration information for your Azure Kubernetes Service (AKS) cluster, perform the following actions:

  1. Run role assignment create command (OSX/Linux/UNIX) with the ID of the cluster that you want to configure as the identifier parameter, to assign the Azure Kubernetes Service Cluster Admin Role to the Microsoft Entra user or group specified by the --assignee-object-id command parameter: 
    az role assignment create
  --role "Azure Kubernetes Service Cluster Admin Role"
  --assignee-object-id "1234abcd-abcd-1234-abcd-abcd1234abcd"
  --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-data-mining-cluster"
  2. The command output should return the new role assignment information: 
    {
	"condition": null,
	"conditionVersion": null,
	"createdBy": null,
	"createdOn": "2024-10-11T11:54:41.729071+00:00",
	"delegatedManagedIdentityResourceId": null,
	"description": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-data-mining-cluster/providers/Microsoft.Authorization/roleAssignments/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"name": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"principalId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"principalType": "User",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleDefinitions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-data-mining-cluster",
	"type": "Microsoft.Authorization/roleAssignments",
	"updatedBy": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"updatedOn": "2024-10-11T11:54:42.025069+00:00"
}
  3. Run role assignment create command (OSX/Linux/UNIX) to assign the Azure Kubernetes Service Cluster User Role to the Microsoft Entra user or group specified by the --assignee-object-id command parameter: 
    az role assignment create
  --role "Azure Kubernetes Service Cluster User Role"
  --assignee-object-id "1234abcd-abcd-1234-abcd-abcd1234abcd"
  --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-data-mining-cluster"
  4. The command output should return the new role assignment information: 
    {
	"condition": null,
	"conditionVersion": null,
	"createdBy": null,
	"createdOn": "2024-10-11T11:54:41.729071+00:00",
	"delegatedManagedIdentityResourceId": null,
	"description": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-data-mining-cluster/providers/Microsoft.Authorization/roleAssignments/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"name": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"principalId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"principalType": "User",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleDefinitions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-data-mining-cluster",
	"type": "Microsoft.Authorization/roleAssignments",
	"updatedBy": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"updatedOn": "2024-10-11T11:54:42.025069+00:00"
}

05 Repeat step no. 4 for each AKS cluster that you want to configure, available within the selected Azure subscription.

06 Repeat steps no. 3 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 21, 2024

Related AKS rules