Did you know that even when you have enabled Azure AD integration with your AKS cluster, a subscription Owner and Contributor can still access you AKS cluster with the -admin switch? In fact, anyone who is a member of the Azure Kubernetes Service Cluster Admin Role (https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azure-kubernetes-service-cluster-admin-role) can. You were able to use Kubernetes RBAC (Role Based Access Control) to limit this before, but I have not seen many people do this, or even aware you could. (https://pixelrobots.co.uk/2020/06/use-azure-rbac-to-define-access-to-kubeconfig-in-azure-kubernetes-service-aks/)
Now you can easily switch –admin access on or off using a simple switch with az aks commands. You can even do it at cluster creation.
So, for this you will need the AKS-Preview extension of AZ CLI. If you do not already have this installed, you can add it using.
Or to update your existing use.
Register the preview feature
First, you need to register the preview feature. To do that use the following command.
After some time, the feature should be registered. You can verify by using the following command.
When the above shows registered you need to refresh the Microsoft.ContainerService resource provider. To do this just use the following.
Disable local admin on an existing cluster
Now that the preview feature is registered its time to test it out. I set my current Kubernetes context using the –admin switch. You will see the cluster name in my terminal window now says -admin at the end. I have full cluster access and can view anything in the cluster without having to specify any Azure AD credentials.
The following command is used to disable the local admin account. Just change the resource group and cluster name.
As I am already connected with the admin access, I still have full rights on the cluster. The cluster I am using in this blog post currently does not have Azure AD integration enabled.
So if I try to get the cluster credentials using az aks get-credentials I will get errors, for both user and admin.
Now if I enable Azure AD integration and make myself a member of the group, I should be able to get the cluster credentials but not be allowed to use the –admin switch. (https://docs.microsoft.com/en-us/azure/aks/managed-aad)
So that works as expected! A great win for security and super easy. One thing to note is as I have already pulled down the admin context before the switch, I am able to use kubectl to switch to it. So, if you enable this feature on an existing cluster and do not want admin access, make sure your kube config file does not have the context.
Enable local admin on an existing cluster
If for some reason you need to enable the admin access on the cluster again you can use the following command to do so. Just change the resource group and cluster name to yours.
What about when creating a new cluster?
Well, this is nice and easy too. Just add the –disable-local-accounts switch to your cluster creation command. An example is below.
Now when you try to connect to the new cluster with –admin you will not be able to.
You can use a simple switch to disable and enable the use of –admin switch when getting AKS clusters credentials. This can be disabled on cluster creation and disabled and enabled on existing clusters. This new method is a lot easier than the previous method of using RBAC objects inside the AKS cluster.
I hope you found this article helpful. If you have any questions, please reach out.