Profile Applicability:

  • Level 2

Description:
 Azure Kubernetes Service (AKS) allows you to use Azure Role-Based Access Control (RBAC) to manage access to Kubernetes resources. This check ensures that Azure RBAC is enabled and used for authorization in the AKS cluster, so that access to Kubernetes resources is controlled through Azure AD roles and policies.

Rationale:
 Azure RBAC integration with Kubernetes provides centralized user management, simplifies access control, and aligns with your existing Azure Active Directory (Azure AD) infrastructure. By leveraging Azure RBAC, organizations can enforce consistent access policies, improve security, and streamline user and role management across Azure services and Kubernetes clusters.

Impact:

  • Pros:

    • Centralized user and role management using Azure Active Directory (Azure AD).

    • Simplifies role assignment and management by using Azure's native security and policy framework.

    • Supports the principle of least privilege by allowing fine-grained control over Kubernetes resource access.

  • Cons:

    • Requires proper configuration of Azure AD and RBAC roles.

    • Could introduce complexity when integrating with existing Kubernetes RBAC configurations.

Default Value:
 By default, Kubernetes RBAC uses its own internal authorization system. Azure RBAC must be explicitly enabled and configured to be used for authorization.

Pre-requisites:
 Ensure that Azure Active Directory (Azure AD) integration with AKS is enabled and that the appropriate Azure AD roles are created and assigned.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.

  2. Under Identity settings, ensure that Azure RBAC for Kubernetes is enabled.

  3. Review the Access Control (IAM) settings for the AKS cluster to confirm that appropriate Azure AD roles (e.g., Owner, Contributor, Reader) are assigned to users and groups.

Using Azure CLI:

  1. Check if Azure RBAC for Kubernetes is enabled with the following command:

     az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "aadProfile"

  2. Ensure that the result shows that Azure RBAC is enabled and linked to Azure Active Directory (AAD).

  3. List the current Azure RBAC roles assigned to users in the AKS cluster:

    az role assignment list --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerService/managedClusters/<aks-cluster-name>


Implementation Plan:

Using Azure Console:

  1. In the Azure portal, navigate to your Azure Kubernetes Service (AKS) cluster.

  2. Under Identity, ensure that Azure Active Directory integration is enabled.

  3. Enable Azure RBAC for Kubernetes Authorization under the Identity section of your AKS cluster settings.

  4. Assign the appropriate Azure AD roles to users or service principals under Access Control (IAM) to grant permissions to Kubernetes resources, ensuring that only authorized users can access the cluster.

Using Azure CLI:

  1. Enable Azure RBAC for Kubernetes Authorization by running the following command:

    az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --enable-aad

  2. Verify that Azure RBAC is enabled:

     az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "aadProfile"

  3. Assign roles to Azure AD users using the following command:

    az role assignment create --assignee <user-or-service-principal-id> --role <role-name> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerService/managedClusters/<aks-cluster-name>


Backout Plan:

Using Azure Console:

  1. If enabling Azure RBAC causes issues with access, you can revert the configuration in the Azure portal by disabling Azure AD integration or Azure RBAC for Kubernetes Authorization.

Using Azure CLI:

  1. Revert the changes by running the following command to disable Azure RBAC for Kubernetes:

    az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --disable-aad

  2. Revert role assignments using the following command to remove users from roles:

    az role assignment delete --assignee <user-or-service-principal-id> --role <role-name> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerService/managedClusters/<aks-cluster-name>


References:

  1. Azure Kubernetes Service (AKS) Azure AD Integration

  2. Azure RBAC Documentation