Disable AKS local accounts#
Security · Azure Kubernetes Service · Preview · 2021_06
Enforce named user accounts with RBAC assigned permissions.
Description#
AKS clusters support Role-based Access Control (RBAC). RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies.
Additionally some default cluster local account credentials are enabled by default. When enabled, an identity with permissions can perform cluster actions using local account credentials. If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts.
In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential.
For example, using az aks get-credentials -g '<resource-group>' -n '<cluster-name>' --admin
will fail.
Recommendation#
Consider enforcing usage of named accounts by disabling local Kubernetes account credentials.
Examples#
Configure with Azure template#
To deploy AKS clusters that pass this rule:
- Set
properties.disableLocalAccounts
totrue
.
For example:
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-10-01",
"name": "[parameters('clusterName')]",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
}
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"disableLocalAccounts": true,
"enableRBAC": true,
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": "[variables('allPools')]",
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
"tenantID": "[subscription().tenantId]"
},
"networkProfile": {
"networkPlugin": "azure",
"networkPolicy": "azure",
"loadBalancerSku": "standard",
"serviceCidr": "[variables('serviceCidr')]",
"dnsServiceIP": "[variables('dnsServiceIP')]",
"dockerBridgeCidr": "[variables('dockerBridgeCidr')]"
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"addonProfiles": {
"httpApplicationRouting": {
"enabled": false
},
"azurepolicy": {
"enabled": true,
"config": {
"version": "v2"
}
},
"omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"kubeDashboard": {
"enabled": false
},
"azureKeyvaultSecretsProvider": {
"enabled": true,
"config": {
"enableSecretRotation": "true"
}
}
},
"podIdentityProfile": {
"enabled": true
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
]
}
Configure with Bicep#
To deploy AKS clusters that pass this rule:
- Set
properties.disableLocalAccounts
totrue
.
For example:
resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
location: location
name: clusterName
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
kubernetesVersion: kubernetesVersion
disableLocalAccounts: true
enableRBAC: true
dnsPrefix: dnsPrefix
agentPoolProfiles: allPools
aadProfile: {
managed: true
enableAzureRBAC: true
adminGroupObjectIDs: clusterAdmins
tenantID: subscription().tenantId
}
networkProfile: {
networkPlugin: 'azure'
networkPolicy: 'azure'
loadBalancerSku: 'standard'
serviceCidr: serviceCidr
dnsServiceIP: dnsServiceIP
dockerBridgeCidr: dockerBridgeCidr
}
autoUpgradeProfile: {
upgradeChannel: 'stable'
}
addonProfiles: {
httpApplicationRouting: {
enabled: false
}
azurepolicy: {
enabled: true
config: {
version: 'v2'
}
}
omsagent: {
enabled: true
config: {
logAnalyticsWorkspaceResourceID: workspaceId
}
}
kubeDashboard: {
enabled: false
}
azureKeyvaultSecretsProvider: {
enabled: true
config: {
enableSecretRotation: 'true'
}
}
}
podIdentityProfile: {
enabled: true
}
}
tags: tags
}
Configure with Azure CLI#
az aks update -n '<name>' -g '<resource_group>' --enable-aad --aad-admin-group-object-ids '<aad-group-id>' --disable-local
Notes#
This Azure feature is currently in preview. To use this feature you must first opt-in by registering the feature on a per-subscription basis.
Links#
- Authorization with Azure AD
- Security design principles
- Disable local accounts (preview)
- Access and identity options for Azure Kubernetes Service (AKS)
- Azure deployment reference