top of page
Writer's pictureRafael Natali

Securing your Azure Kubernetes Services Cluster

In this article, I will present my perspective on securing an Azure Kubernetes cluster with the principle of least privilege as a top priority. I will explain the available built-in Azure Kubernetes Roles, the function of the Microsoft Entra (formerly Azure Active Directory) groups, and how to utilize Kubernetes RBAC to manage access to the workloads.




Authentication and Authorization

Configure the cluster to integrate with Microsoft Entra and take advantage to manage users and groups from a central identity management.

Microsoft Entra Groups and Azure Kubernetes Roles

Create one or more Entra Groups to separate the administrators from the non-administrators. The number and structure of groups will depend on your structure. Let's assume we created two groups:


  • admin

  • developers


Now, we need to assign roles to these groups. There are two Azure Kubernetes Roles I use:

Role

Description

Azure Kubernetes Service Cluster User Role

This role allows the user to log into the cluster; however if no (Cluster)RoleBidings exists, the user cannot execute any kubectl command.

Azure Kubernetes Service RBAC Cluster Admin

Allows super-user access to perform any action on any resource.

The "admin" group will have the "RBAC Cluster Admin" and the "developers" the "User Role". With this role assignment, we achieved the principle of least privilege because we denied all kubectl commands to the "developers". From now on, I, as an administrator, will use Kubernetes RBAC to control what the developers can do. The RBAC you'll implement will vary depending on your use cases.


Kubernetes RBAC


Now, for example, I'll give permissions for the "developers" to read Pods in the dev namespace using the following Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

Get the resource ID for the developers group using the az ad group show command. This group is set as the subject of a RoleBinding in the next step.

az ad group show --group developers --query id -o tsv

Create a RoleBinding for the "developers" group to use the previously created Role for reading Pods.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-user-access
  namespace: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-reader
subjects:
- kind: Group
  namespace: dev
  name: <groupObjectId> # output of the az ad group show

And now, the members of the "developers" group will be able to read Pods in the dev namespace.


Summary

We can set up non-administrator groups with the "Azure Kubernetes Service Cluster User Role" to effectively enforce a "deny-all" policy. This means that members of these groups will have no permission to carry out any actions in the Kubernetes cluster. The administrator can then selectively grant only the necessary permissions to these groups.

This approach allows the administrator to protect Kubernetes Secrets from unauthorised access, prevent the deletion of system Pods, and control access to specific namespaces, which is particularly useful in multi-tenant environments.

In my view, it's better to begin with a closed environment and then gradually open up access as needed rather than starting with open access and then trying to restrict it.


Reference






20 views0 comments

Recent Posts

See All

Comments


bottom of page