AKS Security using RBAC and Azure AD

While Kubernetes offers enhanced pace, portability, and the ability to use microservices architectures, they can also introduce security vulnerabilities and broaden the attack surface. To make it more secure and robust, Kube cluster should be designed and architected keeping security as the primary aspect.

In this article, we will set up Azure AD group membership to control access to namespaces and cluster resources using Kubernetes RBAC in an AKS cluster. To summarise the article, we will grant permissions to the users and groups in Azure AD using the Roles and RoleBindings in the AKS cluster to create and view resources.

Let’s Begin….

  1. Create an admin group for the cluster to grant cluster admin permissions. You can use an existing Azure AD group, or create a new one.

2. Enable AKS-managed Azure AD Integration on your cluster where Kubernetes RBAC is enabled(This is enabled by default). This will require the Object ID of the group which is created in the previous step. Once the command is run it will provide the success message along with the details of the cluster and the changes made with AD integration

3. We will create a user and the role to show how Kubernetes RBAC and Azure AD control access to cluster resources.
Developer user — aksdev
Devloper group — aksdevgrp

Create the Group and assign role to AKS cluster.

Create the user and add it to its respective groups.

4. Create Dev namespace in the AKS cluster to test the permission of aksdev user in this namespace.

5. Create a role for the Dev namespace. This role grants full permissions to this namespace.

6. Create a RoleBinding for the aksdevgrp group to use the previously created Role for namespace access.

7. First, overwrite the existing kubeconfig file by running the get-credentials command. Then, run the sample nginx pod and it will promote for aksdev user credentials. Once, signed in the user can run any command in Dev namespace. However, whenever aksdev user tries to run any command outside the Dev namespace then access will be forbidden.

Integrating the AD makes it easy to manage the AKS users in the whole organisation. These users' permissions can now be easily provided based on the Kubernetes RBAC.

--

--

--

Lead Cloud and DevSecOps Consultant at SoftwareONE Australia

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Simple Samples of Java OOP 4 Principles

Loading from Azure Data Lake Store Gen 2 into Azure Synapse Analytics (Azure SQL DW) via Azure…

Code Monkey —  CODING ADVENTURE: CHALLENGE #21

CS373 Spring 2022: Sanchith Shanmuga: Final Entry

How to do a simple reboot with ansible and resume the playbook ?

Zowe Embraces Visual Studio Code Extensions

12 Reasons Why You Should be Pumped (and Sign Up if You Haven’t Yet) for HackHERS 2017

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shailender Choudhary

Shailender Choudhary

Lead Cloud and DevSecOps Consultant at SoftwareONE Australia

More from Medium

Access Secrets from Azure Key Vault in Azure Kubernetes Service

A Step by Step guide to building Fully Secured Private AKS Cluster

Extending VNET for AKS Cluster

Authenticating Terraform using Azure Service Principal