Ensure that Kubernetes Role-Based Access Control (RBAC) is enabled for all Azure Kubernetes Service (AKS) clusters in order to achieve fine-grained control over AKS cluster resources. The Kubernetes Role-Based Access Control (RBAC) represents an efficient method of regulating access to Azure Kubernetes Service resources based on the roles of individual users or groups within an organization.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Microsoft Azure Kubernetes Service (AKS) has the capability to integrate Microsoft Entra ID users and groups into Kubernetes RBAC controls available for the AKS Kubernetes API server. This integration can be utilized to enable granular access to Kubernetes resources within the AKS clusters that support RBAC controls. Once Kubernetes Role-Based Access Control (RBAC) is enabled, you can safely access AKS clusters, as well as individual resources managed by Kubernetes inside these clusters.
Audit
To determine if Kubernetes Role-Based Access Control is enabled for your AKS clusters, perform the following actions:
Remediation / Resolution
Kubernetes Role-Based Access Control (RBAC) cannot be configured for existing Azure Kubernetes Service (AKS) clusters. To enable and configure RBAC for your AKS clusters, you have to re-create these clusters. To relaunch your AKS clusters with the required RBAC configuration, perform the following actions:
References
- Azure Official Documentation
- Integrate Microsoft Entra ID with Azure Kubernetes Service
- Control access to cluster resources using role-based access control and Microsoft Entra ID identities in Azure Kubernetes Service
- Service principals with Azure Kubernetes Service (AKS)
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az aks
- az aks list
- az aks show
- az aks create
- az ad sp
- az ad sp create-for-rbac
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Kubernetes Role-Based Access Control
Risk Level: Medium