RBAC should be enabled on all Azure Kubernetes Services instances

azure.kubernetes

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0

Description

Ensure that RBAC is enabled on all Azure Kubernetes Services instances.

Rationale

Azure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.

Remediation

Note: This setting cannot be changed after AKS deployment, your cluster will require recreation.

Impact

If RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.

References

  1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list
  2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle

CIS Controls

Version 7

4 Controlled Use of Administrative Privileges

14 Controlled Access Based on the Need to Know

9 AppService: This section covers security recommendations for Azure AppService