Use Azure RBAC for Kubernetes Authorization

Security · Azure Kubernetes Service · Rule · 2021_06 · Important

Use Azure RBAC for Kubernetes Authorization with AKS clusters.

Description

Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC.

• Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources.
• Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC.

Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM).

When Azure RBAC is enabled:

• Azure AD principals will be validated exclusively by Azure RBAC.
• Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC.

Recommendation

Consider using Azure RBAC for Kubernetes Authorization to centralize authorization of Azure AD principals.

Examples

Configure with Azure template

To deploy AKS clusters that pass this rule:

• Set properties.aadProfile.enableAzureRBAC to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.ContainerService/managedClusters",
  "apiVersion": "2024-02-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
    }
  },
  "properties": {
    "kubernetesVersion": "[parameters('kubernetesVersion')]",
    "disableLocalAccounts": true,
    "enableRBAC": true,
    "dnsPrefix": "[parameters('dnsPrefix')]",
    "agentPoolProfiles": "[variables('allPools')]",
    "aadProfile": {
      "managed": true,
      "enableAzureRBAC": true,
      "adminGroupObjectIDs": "[parameters('clusterAdmins')]",
      "tenantID": "[subscription().tenantId]"
    },
    "networkProfile": {
      "networkPlugin": "azure",
      "networkPolicy": "azure",
      "loadBalancerSku": "standard",
      "serviceCidr": "[variables('serviceCidr')]",
      "dnsServiceIP": "[variables('dnsServiceIP')]"
    },
    "apiServerAccessProfile": {
      "authorizedIPRanges": [
        "0.0.0.0/32"
      ]
    },
    "autoUpgradeProfile": {
      "upgradeChannel": "stable"
    },
    "oidcIssuerProfile": {
      "enabled": true
    },
    "addonProfiles": {
      "azurepolicy": {
        "enabled": true
      },
      "omsagent": {
        "enabled": true,
        "config": {
          "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
        }
      },
      "azureKeyvaultSecretsProvider": {
        "enabled": true,
        "config": {
          "enableSecretRotation": "true"
        }
      }
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
  ]
}

Configure with Bicep

To deploy AKS clusters that pass this rule:

• Set properties.aadProfile.enableAzureRBAC to true.

For example:

Azure Bicep snippet

resource cluster 'Microsoft.ContainerService/managedClusters@2024-02-01' = {
  location: location
  name: name
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${identity.id}': {}
    }
  }
  properties: {
    kubernetesVersion: kubernetesVersion
    disableLocalAccounts: true
    enableRBAC: true
    dnsPrefix: dnsPrefix
    agentPoolProfiles: allPools
    aadProfile: {
      managed: true
      enableAzureRBAC: true
      adminGroupObjectIDs: clusterAdmins
      tenantID: subscription().tenantId
    }
    networkProfile: {
      networkPlugin: 'azure'
      networkPolicy: 'azure'
      loadBalancerSku: 'standard'
      serviceCidr: serviceCidr
      dnsServiceIP: dnsServiceIP
    }
    apiServerAccessProfile: {
      authorizedIPRanges: [
        '0.0.0.0/32'
      ]
    }
    autoUpgradeProfile: {
      upgradeChannel: 'stable'
    }
    oidcIssuerProfile: {
      enabled: true
    }
    addonProfiles: {
      azurepolicy: {
        enabled: true
      }
      omsagent: {
        enabled: true
        config: {
          logAnalyticsWorkspaceResourceID: workspaceId
        }
      }
      azureKeyvaultSecretsProvider: {
        enabled: true
        config: {
          enableSecretRotation: 'true'
        }
      }
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/container-service/managed-cluster:<version>

To use the latest version:

br/public:avm/res/container-service/managed-cluster:0.5.1

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure CLI

Azure CLI snippet

az aks update -n '<name>' -g '<resource_group>' --enable-azure-rbac

Links

• SE:05 Identity and access management
• Use Azure RBAC for Kubernetes Authorization
• Access and identity options for Azure Kubernetes Service (AKS)
• Azure deployment reference

Comments