Control: 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services
Description
It is recommended to enable RBAC on all Azure Kubernetes Services Instances. Azure Kubernetes Services has the capability to integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. This should be utilized to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls not just of the overarching AKS instance but also the individual resources managed within Kubernetes.
Remediation
As default, RBAC is enabled. This setting cannot be changed after AKS deployment, cluster will require recreation. For more information refer Use Azure RBAC for Kubernetes
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_8_5Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_8_5 --shareSQL
This control uses a named query:
select kv.id as resource, case when soft_delete_enabled and purge_protection_enabled then 'ok' else 'alarm' end as status, case when not soft_delete_enabled and not purge_protection_enabled then name || ' "soft delete" and "do not purge" not enabled.' when not soft_delete_enabled then name || ' "soft delete" not enabled.' when not purge_protection_enabled then name || ' "do not purge" not enabled.' else name || ' "soft delete" and "do not purge" enabled.' end as reason , kv.resource_group as resource_group , sub.display_name as subscriptionfrom azure_key_vault kv, azure_subscription subwhere sub.subscription_id = kv.subscription_id;