Azure-KubernetesService-Kubernetes-RBAC-Enabled

Severity: Medium

Description: Azure Kubernetes Services has the capability to integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. This should be utilized to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls not just of the overarching AKS instance but also the individual resources managed within Kubernetes.
If RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished presenting more permissions than needed to users requiring access to Kubernetes resources in AKS.
By default, RBAC is enabled.
Note: Kubernetes Service is not supported in Gov Cloud, So this control will not evaluate for Gov Cloud Subscriptions.

Create a new AKS cluster with RBAC enabled.

Remediation Steps:

Perform following to update parameters:

  1. Sign in to the Azure portal using https://portal.azure.com.

  2. Go to Kubernetes Service.

  3. On the Basics page, configure the following options:

    1. Project details

    2. Cluster details

    3. Primary node pool

  4. Select Scale.

  5. Fill in your scaling requirements, then at the bottom of the screen, click Authentication.

  6. Enable the option for Kubernetes role-based access controls (RBAC).

  7. Click Review + create and then Create when validation completes.

Blue Hexagon Proprietary