How to apply azure policies as per AKS RBAC managed by Active Directory?

Tanul 1,251 Reputation points
2021-03-31T21:24:31.227+00:00

Team,

We have 3 level of AD roles in Azure kubernetes.

  1. Admin --> created while making the cluster
  2. SRE --> Have almost 85 to 90% control on AKS.
  3. DEV user-> Have less control and only able to work in their specific namespace.

Now if we create this policy, in which root privilege containers are not allowed, then it shall impact all of the 3 categories listed above. I'm unable to find anything like Azure Policy via AKS RBAC.

In azure policy definition, I'm unable to find any way to apply policy only on a specific AD groups or AKS RBAC role. Could you please suggest some resolution otherwise, everyone will entangle in the trap of pod security policies.

Regards,
Tanul

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
666 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,855 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
792 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 43,561 Reputation points Microsoft Employee
    2021-04-08T08:55:43.647+00:00

    @Tanul Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    This policy makes use of a CRD which enforces the rejection of privilegeEscalation enabled containers at the admission controller of the API server.
    may I know what kind RBAC auth policy. In that case Pod Security Policies are the only option. A Rolebinding/Clusterrolebinding the user (auth) with the Pod Security Policy (admission control).

    You can't enforce securityContext policy associated with RBAC objects at this time.

    There are different ways to authenticate, control access/authorize and secure Kubernetes clusters. Using Kubernetes role-based access control (Kubernetes RBAC), you can grant users, groups, and service accounts access to only the resources they need. With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure by using Azure Active Directory and Azure RBAC. These approaches help you secure your cluster access and provide only the minimum required permissions to developers and operators.

    Azure Policy for Kubernetes clusters

    This article introduces the core concepts that help you authenticate and assign permissions in AKS: https://learn.microsoft.com/en-us/azure/aks/concepts-identity

    Control access to cluster resources using Kubernetes role-based access control and Azure Active Directory identities in Azure Kubernetes Service
    AKS provides the following four built-in roles:https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac

    Kindly let us know if you still have more questions on this. . I wish to engage with you offline for a closer look and provide a quick and specialized assistance, please send an email with subject line “Attn:subm” to AzCommunity[at]Microsoft[dot]com referencing this thread and the Azure subscription ID, I will follow-up with you. Once again, apologies for any inconvenience with this issue.
    Thanks for your patience and co-operation.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.