RBAC should be enabled on all Azure Kubernetes Services instances
Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0
Description
Ensure that RBAC is enabled on all Azure Kubernetes Services instances.
Rationale
Azure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.
Note: This setting cannot be changed after AKS deployment, your cluster will require recreation.
Impact
If RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.
References
- https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list
- https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle
CIS Controls
Version 7
4 Controlled Use of Administrative Privileges
14 Controlled Access Based on the Need to Know
9 AppService: This section covers security recommendations for Azure AppService