HIGH
Source
Trivy
ID
AVD-AZU-0042

Ensure RBAC is enabled on AKS clusters

Using Kubernetes role-based access control (RBAC), you can grant users, groups, and service accounts access to only the resources they need.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Enable RBAC

1
2
3
4
5
6
7
8
9
resource "azurerm_kubernetes_cluster" "good_example" {
  // azurerm < 2.99.0
  role_based_access_control {
    enabled = true
  }

  // azurerm >= 2.99.0
  role_based_access_control_enabled = true
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
resource "azurerm_kubernetes_cluster" "aks_cluster" {
  name                            = var.name
  location                        = var.location
  resource_group_name             = var.resource_group_name
  dns_prefix                      = var.name
  kubernetes_version              = var.cluster_version
  api_server_authorized_ip_ranges = var.ip_whitelist
  azure_policy_enabled            = true
  default_node_pool {
    name                = "default"
    enable_auto_scaling = true
    min_count           = var.node_min_count
    max_count           = var.node_max_count
    max_pods            = var.pod_max_count # If you don't specify only allows 30 pods
    vm_size             = var.vm_size
    os_disk_size_gb     = 250 # default 30GB
    vnet_subnet_id      = var.vnet_subnet_id
  }

  network_profile {
    network_plugin = "azure"
    network_policy = "azure"
  }

  identity {
    type = "SystemAssigned"
  }

  azure_active_directory_role_based_access_control {
    managed                = true
    azure_rbac_enabled     = true
    admin_group_object_ids = [data.azuread_group.aks_admins.object_id]
  }

}