Ensure RBAC is enabled on AKS clusters
Using Kubernetes role-based access control (RBAC), you can grant users, groups, and service accounts access to only the resources they need.
Impact
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enable RBAC
1
2
3
4
5
6
7
8
9
|
resource "azurerm_kubernetes_cluster" "good_example" {
// azurerm < 2.99.0
role_based_access_control {
enabled = true
}
// azurerm >= 2.99.0
role_based_access_control_enabled = true
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
resource "azurerm_kubernetes_cluster" "aks_cluster" {
name = var.name
location = var.location
resource_group_name = var.resource_group_name
dns_prefix = var.name
kubernetes_version = var.cluster_version
api_server_authorized_ip_ranges = var.ip_whitelist
azure_policy_enabled = true
default_node_pool {
name = "default"
enable_auto_scaling = true
min_count = var.node_min_count
max_count = var.node_max_count
max_pods = var.pod_max_count # If you don't specify only allows 30 pods
vm_size = var.vm_size
os_disk_size_gb = 250 # default 30GB
vnet_subnet_id = var.vnet_subnet_id
}
network_profile {
network_plugin = "azure"
network_policy = "azure"
}
identity {
type = "SystemAssigned"
}
azure_active_directory_role_based_access_control {
managed = true
azure_rbac_enabled = true
admin_group_object_ids = [data.azuread_group.aks_admins.object_id]
}
}
|
Links