Profile Applicability:

  • Level 2

Description:
 Integrating Azure Active Directory (Azure AD) with Kubernetes Role-Based Access Control (RBAC) allows you to manage user access and permissions within your Kubernetes cluster using Azure AD identities. This check ensures that Azure AD is configured for RBAC to manage user access and roles in Kubernetes efficiently, leveraging Azure AD groups and roles for better security management.

Rationale:
 Using Azure AD for Kubernetes RBAC provides centralized user authentication and authorization management, making it easier to control and audit user access to the Kubernetes resources. By integrating Azure AD, you can align Kubernetes user management with your organizational security policies and existing Azure AD roles, which simplifies administration and enhances security.

Impact:

  • Pros:

    • Provides centralized user management and authentication using Azure AD.

    • Integrates seamlessly with existing Azure AD security policies and user groups.

    • Simplifies RBAC management by leveraging Azure AD roles and groups for fine-grained access control.

  • Cons:

    • Requires Azure AD integration and configuration.

    • May require updates to existing Kubernetes RBAC roles to accommodate Azure AD groups.

Default Value:
 By default, Kubernetes does not integrate with Azure AD for RBAC. Integration with Azure AD needs to be manually configured.

Pre-requisites:
 Ensure that the Azure AD integration is set up for your AKS cluster and that appropriate Azure AD groups and roles are created and assigned.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.

  2. Under Identity and Access Management (IAM), verify that Azure AD integration is enabled for your Kubernetes cluster.

  3. Check the Azure AD Group assignments for Kubernetes RBAC roles to ensure that users are properly assigned to the correct roles based on their Azure AD group membership.

Using Azure CLI:

  1. Use the following command to verify if Azure AD integration is enabled for your AKS cluster:

     az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "aadProfile"

  2. Ensure that the aadProfile field is configured with the appropriate Azure AD tenant and application details.

  3. To view the Azure AD group assignments for Kubernetes RBAC roles, run:

     kubectl get rolebindings --all-namespaces -o=jsonpath='{.items[*].subjects}'

  4. Verify that Azure AD groups are correctly assigned to Kubernetes roles.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, navigate to your AKS cluster.

  2. Enable Azure AD Integration by selecting Identity under Settings and enabling Azure AD integration.

  3. Under Azure AD settings, assign Azure AD groups to Kubernetes RBAC roles such as cluster-admin, admin, or edit based on user access requirements.

  4. Ensure that Azure AD users and groups are appropriately assigned to Kubernetes RBAC roles within the AKS cluster for resource access.

Using Azure CLI:

  1. To enable Azure AD integration for your AKS cluster, run the following command:

     az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --enable-aad

  2. Add Azure AD users or groups to Kubernetes RBAC roles by creating role bindings. For example, to bind an Azure AD group to the cluster-admin role:

    kubectl create rolebinding <rolebinding-name> \
--clusterrole=cluster-admin \
--user=<azure-ad-user-email> \
--namespace=default

  1. Alternatively, you can bind Azure AD groups to roles by using Azure CLI to create role bindings with the following command:

    kubectl create rolebinding <rolebinding-name> --clusterrole=<role-name> --group=<azure-ad-group-name> --namespace=<namespace-name>


Backout Plan:

Using Azure Console:

  1. If Azure AD integration causes issues, revert the configuration in the Azure portal by disabling Azure AD integration and reverting any role assignments.

Using Azure CLI:

  1. Revert the changes by removing Azure AD role bindings with the following command:

     kubectl delete rolebinding <rolebinding-name> --namespace=<namespace-name>

  2. Disable Azure AD integration by running the following command:

     az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --disable-aad


References:

  1. Azure Kubernetes Service (AKS) Azure AD Integration Documentation

  2. Kubernetes RBAC Documentation

  3. Azure CLI AKS RBAC Role Bindings