AKS Security using RBAC and Azure AD
While Kubernetes offers enhanced pace, portability, and the ability to use microservices architectures, they can also introduce security vulnerabilities and broaden the attack surface. To make it more secure and robust, Kube cluster should be designed and architected keeping security as the primary aspect.
In this article, we will set up Azure AD group membership to control access to namespaces and cluster resources using Kubernetes RBAC in an AKS cluster. To summarise the article, we will grant permissions to the users and groups in Azure AD using the Roles and RoleBindings in the AKS cluster to create and view resources.
- Create an admin group for the cluster to grant cluster admin permissions. You can use an existing Azure AD group, or create a new one.
2. Enable AKS-managed Azure AD Integration on your cluster where Kubernetes RBAC is enabled(This is enabled by default). This will require the Object ID of the group which is created in the previous step. Once the command is run it will provide the success message along with the details of the cluster and the changes made with AD integration
3. We will create a user and the role to show how Kubernetes RBAC and Azure AD control access to cluster resources.
Developer user — aksdev
Devloper group — aksdevgrp
Create the Group and assign role to AKS cluster.
Create the user and add it to its respective groups.
4. Create Dev namespace in the AKS cluster to test the permission of aksdev user in this namespace.
5. Create a role for the Dev namespace. This role grants full permissions to this namespace.
6. Create a RoleBinding for the aksdevgrp group to use the previously created Role for namespace access.
7. First, overwrite the existing kubeconfig file by running the get-credentials command. Then, run the sample nginx pod and it will promote for aksdev user credentials. Once, signed in the user can run any command in Dev namespace. However, whenever aksdev user tries to run any command outside the Dev namespace then access will be forbidden.
Integrating the AD makes it easy to manage the AKS users in the whole organisation. These users' permissions can now be easily provided based on the Kubernetes RBAC.