Azure AKS Enable Role-based Access Control (RBAC) Not Enforced

To provide granular filtering of the actions that users can perform, Kubernetes uses role-based access controls (RBAC). This control mechanism lets you assign users, or groups of users, permission to do things like create or modify resources, or view logs from running application workloads. These permissions can be scoped to a single namespace, or granted across the entire AKS cluster. This policy checks your AKS cluster RBAC setting and alerts if disabled.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
Terraform

Build Rules

Azure AKS enable role-based access control (RBAC) not enforced.
JSON Query:
$.resource.*.azurerm_kubernetes_cluster[*].*[*].role_based_access_control anyNull or $.resource.*.azurerm_kubernetes_cluster[*].*[*].role_based_access_control[*].enabled anyFalse
Recommendation:
Recommended solution for enforcing role-based control (RBAC).
It is recommended to have Role based control (RBAC) enforced. Please make sure your template has the "role_based_access_control" enabled.
For example:
"azurerm_kubernetes_cluster": [ { "<kubernetes_cluster_name>": [ { "default_node_pool": [ { "name": "default", "node_count": 1, "vm_size": "Standard_D2_v2" } ], "dns_prefix": "exampleaks1", "name": "example-aks1", "role_based_access_control": [ { "enabled": true } ] } ] } ]

Run Rule Recommendation

Create a new AKS cluster with RBAC enabled.
  1. Sign in to the Azure portal.
  2. In the top left-hand corner of the Azure portal, select + Create a resource > Containers > Kubernetes Service.
  3. On the Basics page, configure the following options:.
    - Project details
    - Cluster details
    - Primary node pool
  4. Select Next: Scale.
  5. Fill in your scaling requirements, then at the bottom of the screen, click Next:Authentication.
  6. Enable the option for Kubernetes role-based access controls (RBAC).
  7. Click Review + create and then Create when validation completes.

Compliance

There are 4 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • PIPEDA
  • CIS v1.1 (Azure)
  • CCPA 2018

Recommended For You