Azure Kubernetes Cluster without RBAC enabled

ID

aks_rbac_enabled

Severity

low

Vendor

Azure

Resource

Kubernetes

Tags

reachable

Description

RBAC should be enforced for Azure AKS.

Azure Kubernetes Service (AKS) Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. Since Kubernetes masters are managed by Azure, you only manage and maintain the agent nodes. Thus, AKS is free; you only pay for the agent nodes within your clusters, not for the masters.

It can be configured to use Azure Active Directory (AD) and Kubernetes Role-based Access Control (RBAC). With RBAC you can create a role definition that outlines the permissions to be applied. A user or group is then assigned this role definition for a particular scope, which could be an individual resource, a resource group, or across the subscription.

By signing to an AKS cluster using an Azure AD authentication token and configure Kubernetes RBAC the access to the cluster resources will be limited based a user’s identity or group membership.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "apiVersion": "2018-03-31",
      "type": "Microsoft.ContainerService/managedClusters",
      "location": "[resourceGroup().location]",
      "name": "bad", (1)
      "properties": {
        "kubernetesVersion": "[variables('kubernetesVersion')]",
        "dnsPrefix": "[variables('dnsPrefix')]",
        "enableRBAC": "false"
      }
    }
  ]
}
1 AKS with RBAC disabled.

Terraform

resource "azurerm_kubernetes_cluster" "bad" {
  # ... rest ...
  role_based_access_control_enabled = false
}

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "apiVersion": "2018-03-31",
      "type": "Microsoft.ContainerService/managedClusters",
      "location": "[resourceGroup().location]",
      "name": "good", (1)
      "properties": {
        "kubernetesVersion": "[variables('kubernetesVersion')]",
        "dnsPrefix": "[variables('dnsPrefix')]",
        "enableRBAC": "true"
      }
    }
  ]
}
1 AKS with RBAC enabled.

Terraform

resource "azurerm_kubernetes_cluster" "bad" {
  # ... rest ...
  role_based_access_control_enabled = true
}