Use Azure RBAC for Kubernetes Authorization#
Security · Azure Kubernetes Service · Rule · 2021_06
Use Azure RBAC for Kubernetes Authorization with AKS clusters.
Description#
Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC.
- Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources.
- Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC.
Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM).
When Azure RBAC is enabled:
- Azure AD principals will be validated exclusively by Azure RBAC.
- Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC.
Recommendation#
Consider using Azure RBAC for Kubernetes Authorization to centralize authorization of Azure AD principals.
Examples#
Configure with Azure template#
To deploy AKS clusters that pass this rule:
- Set
properties.aadProfile.enableAzureRBAC
totrue
.
For example:
Azure Template snippet
{
"comments": "Azure Kubernetes Cluster",
"apiVersion": "2020-12-01",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
],
"type": "Microsoft.ContainerService/managedClusters",
"location": "[parameters('location')]",
"name": "[parameters('clusterName')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]": {}
}
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"disableLocalAccounts": true,
"enableRBAC": true,
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": [
{
"name": "system",
"osDiskSizeGB": 32,
"count": 3,
"minCount": 3,
"maxCount": 10,
"enableAutoScaling": true,
"maxPods": 50,
"vmSize": "Standard_D2s_v3",
"osType": "Linux",
"type": "VirtualMachineScaleSets",
"vnetSubnetID": "[variables('clusterSubnetId')]",
"mode": "System",
"osDiskType": "Ephemeral",
"scaleSetPriority": "Regular"
}
],
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
"tenantID": "[subscription().tenantId]"
},
"networkProfile": {
"networkPlugin": "azure",
"networkPolicy": "azure",
"loadBalancerSku": "Standard",
"serviceCidr": "192.168.0.0/16",
"dnsServiceIP": "192.168.0.4",
"dockerBridgeCidr": "172.17.0.1/16"
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"addonProfiles": {
"azurepolicy": {
"enabled": true,
"config": {
"version": "v2"
}
},
"omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"kubeDashboard": {
"enabled": false
}
}
}
}
Configure with Azure CLI#
Links#
- Authorization with Azure AD
- Use Azure RBAC for Kubernetes Authorization
- Access and identity options for Azure Kubernetes Service (AKS)
- Azure deployment reference
Last update:
2022-12-03