Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Azure Role-Based Access Control (RBAC) for Kubernetes Authorization

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Azure Role-Based Access Control (RBAC) is enabled for Azure Kubernetes Service (AKS) clusters. Azure RBAC for Kubernetes Authorization in Azure AKS allows you to control access to Kubernetes resources based on the roles assigned to users or service principals in Azure. It integrates Azure RBAC with Kubernetes' native RBAC, enabling fine-grained permissions for managing AKS resources and operations at both the Azure and Kubernetes levels.

Security

Enabling Azure RBAC for Kubernetes authorization simplifies access management by unifying Azure and Kubernetes permissions. It allows centralized, Role-Based Access Control, ensuring consistent and secure governance across both Azure resources and Kubernetes workloads. This integration helps streamline operations and improves security by reducing the complexity of managing separate permission systems.

Audit

To determine if Azure RBAC for Kubernetes authorization is enabled for Azure AKS clusters, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.

05 Click on the name (link) of the AKS cluster that you want to examine.

06 In the resource navigation panel, under Settings, select Cluster configuration to access the configuration settings available for the selected AKS cluster.

07 In the Authentication and Authorization section, check the configuration option selected from the Authentication and Authorization dropdown list. If the selected option is not Microsoft Entra ID authentication with Azure RBAC, Azure RBAC for Kubernetes authorization is not enabled for the selected Azure Kubernetes Service (AKS) cluster.

08 Repeat steps no. 5 – 7 for each AKS cluster provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription: 

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AKS cluster names: 

Name                    ResourceGroup
----------------------  ------------------------------
cc-data-mining-cluster  cloud-shell-storage-westeurope
cc-project5-cluster     cloud-shell-storage-westeurope

06 Run aks show command (Windows/macOS/Linux) with the name of the AKS cluster that you want to examine (and the associated resource group) as identifier parameters, to describe the configuration status of the Azure Role-Based Access Control (RBAC) feature, available for the selected AKS cluster: 

az aks show
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --query '{enableAzureRbac:aadProfile.enableAzureRbac}'

07 The command output should return the requested feature status (true for enabled, false for disabled): 

{
	"enableAzureRbac": false
}

If the command output returns null or false for the "enableAzureRbac" configuration attribute, Azure RBAC for Kubernetes authorization is not enabled for the selected Azure Kubernetes Service (AKS) cluster.

08 Repeat steps no. 6 and 7 for each AKS cluster available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that Azure Role-Based Access Control (RBAC) for Kubernetes authorization is enabled for your Azure AKS clusters, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.

05 Click on the name (link) of the AKS cluster that you want to configure.

06 In the resource navigation panel, under Settings, select Cluster configuration to access the configuration settings available for the selected AKS cluster.

07 In the Authentication and Authorization section, select Microsoft Entra ID authentication with Azure RBAC from the Authentication and Authorization dropdown list to enable Azure Role-Based Access Control (RBAC) for Kubernetes authorization.

08 Choose Apply to apply the configuration changes.

09 Repeat steps no. 5 – 8 for each AKS cluster that you want to configure, available in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks update command (OSX/Linux/UNIX) with the name of the cluster that you want to configure as the identifier parameter, to enable to enable Azure Role-Based Access Control (RBAC) for Kubernetes authorization, for the selected Azure AKS cluster: 

az aks update
  --name cc-data-mining-cluster
  --resource-group cloud-shell-storage-westeurope
  --enable-azure-rbac

05 The command output should return the configuration information available for the modified AKS cluster: 

{
	"aadProfile": {
		"adminGroupObjectIDs": [
			"abcdabcd-1234-abcd-1234-abcdabcdabcd"
		],
		"clientAppId": null,
		"enableAzureRbac": true,
		"managed": true,
		"serverAppId": null,
		"serverAppSecret": null,
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
	},

	...

	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"tags": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"upgradeSettings": null,
	"windowsProfile": null,
	"workloadAutoScalerProfile": {
		"keda": null,
		"verticalPodAutoscaler": null
	}
}

06 Repeat steps no. 4 and 5 for each AKS cluster that you want to configure, available within the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 21, 2024

Related AKS rules