Ensure RBAC is enabled on AKS clusters
Using Kubernetes role-based access control (RBAC), you can grant users, groups, and service accounts access to only the resources they need.
Impact
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enable RBAC
1
2
3
4
5
6
|
resource "azurerm_kubernetes_cluster" "good_example" {
// azurerm < 2.99.0
role_based_access_control {
enabled = true
}
}
|
1
2
3
4
|
resource "azurerm_kubernetes_cluster" "good_example" {
// azurerm >= 2.99.0
role_based_access_control_enabled = true
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
resource "azurerm_kubernetes_cluster" "aks_cluster" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
}
azure_active_directory_role_based_access_control {
managed = true
azure_rbac_enabled = true
admin_group_object_ids = [data.azuread_group.aks_admins.object_id]
}
}
|
Links