When creating an Azure Kubernetes Service (AKS) cluster, even with Role Based Access Control (RBAC) and Azure Active Directory (Azure AD) integration enabled. By default, you can still use the az aks get-credentials command with the switch –admin to gain admin access. Bypassing all the extra security you have put into place. Thankfully, there are two RBAC roles that users and groups can be added to. This will allow you to limit who can get the Kubernetes configuration (kubeconfig) information.
Below I will show you how to assign users and groups to the RBAC roles.
A little bit about the roles
When interacting with your AKS cluster using the kubectl tool it uses the kubeconfig file. This file is typically stored in ~/.kube/config. You can have multiple clusters stored in this file. To view them all you can use kubectl config show-contexts and to switch between clusters you can use kubectl config use-context clustername.
When you run az aks get-credentials it gets the access credentials for your AKS cluster and merges it into your kubeconfig file. The two roles bellow control the access to these credentials:
- Azure Kubernetes Service Cluster Admin Role
- Allows access to Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action API call.
- Downloads cluster access information for the clusterAdmin role.
- Azure Kubernetes Service Cluster User Role
- Allows access to Microsoft.ContainerService/managedClusters/listClusterUserCredential/action API call.
- Downloads cluster access information for the clusterUser role.
Let’s get to it and assign the role
But first let’s check to see what happens when you use the az aks get-credentials command with –admin switch
Straight in, no issues at all.
Adding a user
The following example will add the current signed in user to the Azure Kubernetes Service Cluster Admin Role (just make sure you enter your clusters name and resource group):
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# Get the resource ID of your AKS cluster AKS_CLUSTER=$(az aks show --resource-group robots-aks-weu --name robots-aks-weu --query id -o tsv) # Get the account credentials for the logged in user ACCOUNT_UPN=$(az account show --query user.name -o tsv) ACCOUNT_ID=$(az ad user show --id $ACCOUNT_UPN --query objectId -o tsv) # Assign the 'Cluster Admin' role to the user az role assignment create \ --assignee $ACCOUNT_ID \ --scope $AKS_CLUSTER \ --role "Azure Kubernetes Service Cluster Admin Role" |
If you would like to add the not currently logged in user just change line 6 and add the UPN of the account you want.
In the image below, I have logged in with a different user and tried the az aks get-credentials –admin command and as you can see, I do not have authorization.
Adding a group
The below example will add the group aks-admin to the Azure Kubernetes Service Cluster Admin Role. Just change the group name to one you have.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# Get the resource ID of your AKS cluster AKS_CLUSTER=$(az aks show --resource-group robots-aks-weu --name robots-aks-weu --query id -o tsv) # Get the group object ID GROUP=$"aks-admin" GROUP_ID=$(az ad group show --group $GROUP --query objectId -o tsv) # Assign the 'Cluster Admin' role to the user az role assignment create \ --assignee $GROUP_ID \ --scope $AKS_CLUSTER \ --role "Azure Kubernetes Service Cluster Admin Role" |
If you want to add to the Azure Kubernetes Service Cluster User Role. Then all you need to do is change the last line of the commands above to say that rather than admin.
All in All
This is a nice way to secure your AKS cluster further and I highly recommend that you do this, and don’t forget, you can do this via the portal too if you prefer. It’s just like adding any role assignment on a resource.
So, what are you waiting for, go ahead and secure your AKS clusters?! If you do have any questions or comments, please reach out.
1 Comment
Disable local user account (-admin) in Azure Kubernetes Service - Pixel Robots. · June 18, 2021 at 10:04 am
[…] Did you know that even when you have enabled Azure AD integration with your AKS cluster, a subscription Owner and Contributor can still access you AKS cluster with the -admin switch? In fact, anyone who is a member of the Azure Kubernetes Service Cluster Admin Role (https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azure-kubernetes-service-cluster-admin-role) can. You were able to use Kubernetes RBAC (Role Based Access Control) to limit this before, but I have not seen many people do this, or even aware you could. (https://pixelrobots.co.uk/2020/06/use-azure-rbac-to-define-access-to-kubeconfig-in-azure-kubernetes-…😉 […]