Disable AKS local accounts#
Security · Azure Kubernetes Service · Rule · 2023_09
Enforce named user accounts with RBAC assigned permissions.
Description#
AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies.
When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled.
These local accounts such as clusterAdmin and clusterUser are shared accounts that are not tied to an identity.
If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions.
In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential.
For example, using az aks get-credentials -g '<resource-group>' -n '<cluster-name>' --admin will fail.
Recommendation#
Consider enforcing usage of named accounts by disabling local Kubernetes account credentials. Also consider enforcing this setting using Azure Policy.
Examples#
Configure with Azure template#
To deploy AKS clusters that pass this rule:
- Set the
properties.disableLocalAccountsproperty totrue.
For example:
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-07-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
}
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"disableLocalAccounts": true,
"enableRBAC": true,
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": [
{
"name": "system",
"osDiskSizeGB": 0,
"minCount": 3,
"maxCount": 5,
"enableAutoScaling": true,
"maxPods": 50,
"vmSize": "Standard_D4s_v5",
"type": "VirtualMachineScaleSets",
"vnetSubnetID": "[parameters('clusterSubnetId')]",
"mode": "System",
"osDiskType": "Ephemeral"
},
{
"name": "user",
"osDiskSizeGB": 0,
"minCount": 3,
"maxCount": 20,
"enableAutoScaling": true,
"maxPods": 50,
"vmSize": "Standard_D4s_v5",
"type": "VirtualMachineScaleSets",
"vnetSubnetID": "[parameters('clusterSubnetId')]",
"mode": "User",
"osDiskType": "Ephemeral"
}
],
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
"tenantID": "[subscription().tenantId]"
},
"networkProfile": {
"networkPlugin": "azure",
"networkPolicy": "azure",
"loadBalancerSku": "standard",
"serviceCidr": "[variables('serviceCidr')]",
"dnsServiceIP": "[variables('dnsServiceIP')]"
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"oidcIssuerProfile": {
"enabled": true
},
"addonProfiles": {
"azurepolicy": {
"enabled": true
},
"omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"azureKeyvaultSecretsProvider": {
"enabled": true,
"config": {
"enableSecretRotation": "true"
}
}
}
},
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
]
}
Configure with Bicep#
To deploy AKS clusters that pass this rule:
- Set the
properties.disableLocalAccountsproperty totrue.
For example:
resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-07-01' = {
location: location
name: name
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
kubernetesVersion: kubernetesVersion
disableLocalAccounts: true
enableRBAC: true
dnsPrefix: dnsPrefix
agentPoolProfiles: [
{
name: 'system'
osDiskSizeGB: 0
minCount: 3
maxCount: 5
enableAutoScaling: true
maxPods: 50
vmSize: 'Standard_D4s_v5'
type: 'VirtualMachineScaleSets'
vnetSubnetID: clusterSubnetId
mode: 'System'
osDiskType: 'Ephemeral'
}
{
name: 'user'
osDiskSizeGB: 0
minCount: 3
maxCount: 20
enableAutoScaling: true
maxPods: 50
vmSize: 'Standard_D4s_v5'
type: 'VirtualMachineScaleSets'
vnetSubnetID: clusterSubnetId
mode: 'User'
osDiskType: 'Ephemeral'
}
]
aadProfile: {
managed: true
enableAzureRBAC: true
adminGroupObjectIDs: clusterAdmins
tenantID: subscription().tenantId
}
networkProfile: {
networkPlugin: 'azure'
networkPolicy: 'azure'
loadBalancerSku: 'standard'
serviceCidr: serviceCidr
dnsServiceIP: dnsServiceIP
}
autoUpgradeProfile: {
upgradeChannel: 'stable'
}
oidcIssuerProfile: {
enabled: true
}
addonProfiles: {
azurepolicy: {
enabled: true
}
omsagent: {
enabled: true
config: {
logAnalyticsWorkspaceResourceID: workspaceId
}
}
azureKeyvaultSecretsProvider: {
enabled: true
config: {
enableSecretRotation: 'true'
}
}
}
}
}
Configure with Azure CLI#
az aks update -n '<name>' -g '<resource_group>' --enable-aad --aad-admin-group-object-ids '<aad-group-id>' --disable-local
Configure with Azure Policy#
To address this issue at runtime use the following policies:
Links#
- Authorization with Azure AD
- Security design principles
- Manage local accounts with AKS-managed Azure Active Directory integration
- Access and identity options for Azure Kubernetes Service (AKS)
- Azure Policy built-in definitions for Azure Kubernetes Service
- IM-1: Use centralized identity and authentication system
- PA-1: Separate and limit highly privileged/administrative users
- Azure deployment reference