<  Back to rules search

RBAC within Azure Kubernetes Services is enabled


Set up the azure.kubernetes integration.


Ensure that RBAC is enabled on all Azure Kubernetes Services instances.


Azure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.


Note: This setting cannot be changed after AKS deployment, your cluster will require recreation.


If RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.


  1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list
  2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle

CIS Controls

Version 7

4 Controlled Use of Administrative Privileges

14 Controlled Access Based on the Need to Know

9 AppService: This section covers security recommendations for Azure AppService