More Info:

Ensure that RBAC is enabled on all Azure Kubernetes Services Instances

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP, HITRUST, SOC2

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of enabling Role-Based Access Control (RBAC) within Azure Kubernetes Services, you can follow the below steps using the Azure console:
  1. Open the Azure Portal and navigate to the Azure Kubernetes Service (AKS) cluster that needs to be remediated.
  2. Click on the “Access Control (IAM)” option from the left-hand menu.
  3. Click on the “Add” button and select “Add role assignment” from the dropdown menu.
  4. In the “Add role assignment” blade, select the desired role from the “Role” dropdown menu. For example, “Owner”, “Contributor” or “Reader”.
  5. In the “Select” box, search for the user or group that needs to be assigned the role.
  6. Click on the “Save” button to assign the role to the selected user or group.
  7. Repeat steps 4 to 6 to assign roles to other users or groups as needed.
  8. Once all the roles have been assigned, click on the “Save” button to save the changes.
By following these steps, you will be able to enable Role-Based Access Control (RBAC) within Azure Kubernetes Services and remediate the misconfiguration.

To enable Role-Based Access Control (RBAC) within Azure Kubernetes Services (AKS) using AZURE CLI, please follow the below steps:Step 1: Open the Azure CLI and login to your Azure account using the command:
az login
Step 2: Once you are logged in, set the subscription that contains the AKS cluster using the command:
az account set --subscription <subscription-id>
Step 3: After setting the subscription, enable RBAC on the AKS cluster using the following command:
az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --enable-rbac
Step 4: Verify that RBAC is enabled on the AKS cluster using the following command:
az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "servicePrincipalProfile.role"
If the output of the above command is “Contributor”, it means that RBAC is enabled on the AKS cluster.By following the above steps, you can enable Role-Based Access Control (RBAC) within Azure Kubernetes Services (AKS) using AZURE CLI.
To enable Role-Based Access Control (RBAC) within Azure Kubernetes Services using python, you can follow the below steps:
  1. Import the required libraries and authenticate to Azure using the Azure Identity library.
from azure.identity import DefaultAzureCredential
from azure.mgmt.containerservice import ContainerServiceClient
from azure.mgmt.authorization import AuthorizationManagementClient
from azure.mgmt.authorization.models import RoleAssignmentCreateParameters

credential = DefaultAzureCredential()
container_service_client = ContainerServiceClient(credential, subscription_id)
authorization_client = AuthorizationManagementClient(credential, subscription_id)
  1. Get the resource group and AKS cluster details.
resource_group_name = "<resource-group-name>"
cluster_name = "<aks-cluster-name>"

cluster = container_service_client.managed_clusters.get(resource_group_name, cluster_name)
  1. Create a role assignment for the AKS cluster.
role_definition_id = "/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/{}".format(subscription_id, "b24988ac-6180-42a0-ab88-20f7382dd24c") # Contributor Role ID
principal_id = "<principal-id>" # Principal ID of the user or group to whom the role is assigned

role_assignment_parameters = RoleAssignmentCreateParameters(role_definition_id=role_definition_id, principal_id=principal_id)

result = authorization_client.role_assignments.create(resource_group_name, role_assignment_name, role_assignment_parameters)
Note: In the above code, replace the values of <resource-group-name>, <aks-cluster-name>, <principal-id> with the actual values.
  1. Verify the role assignment by listing all the role assignments for the resource group.
role_assignments = authorization_client.role_assignments.list_for_resource_group(resource_group_name)

for role_assignment in role_assignments:
    print(role_assignment.name)
This will list all the role assignments for the resource group. You can verify that the role assignment created in step 3 is present in the list.By following the above steps, you can enable Role-Based Access Control (RBAC) within Azure Kubernetes Services using python.

Additional Reading: