question

TaB-8489 avatar image
0 Votes"
TaB-8489 asked TaB-8489 commented

How to apply azure policies as per AKS RBAC managed by Active Directory?

Team,

We have 3 level of AD roles in Azure kubernetes.
1. Admin --> created while making the cluster
2. SRE --> Have almost 85 to 90% control on AKS.
3. DEV user-> Have less control and only able to work in their specific namespace.

Now if we create this policy, in which root privilege containers are not allowed, then it shall impact all of the 3 categories listed above. I'm unable to find anything like Azure Policy via AKS RBAC.

In azure policy definition, I'm unable to find any way to apply policy only on a specific AD groups or AKS RBAC role. Could you please suggest some resolution otherwise, everyone will entangle in the trap of pod security policies.

Regards,
Tanul



azure-kubernetes-serviceazure-policyazure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SumanthMarigowda-MSFT avatar image
0 Votes"
SumanthMarigowda-MSFT answered TaB-8489 commented

@TaB-8489 Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

This policy makes use of a CRD which enforces the rejection of privilegeEscalation enabled containers at the admission controller of the API server.
may I know what kind RBAC auth policy. In that case Pod Security Policies are the only option. A Rolebinding/Clusterrolebinding the user (auth) with the Pod Security Policy (admission control).

You can't enforce securityContext policy associated with RBAC objects at this time.

There are different ways to authenticate, control access/authorize and secure Kubernetes clusters. Using Kubernetes role-based access control (Kubernetes RBAC), you can grant users, groups, and service accounts access to only the resources they need. With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure by using Azure Active Directory and Azure RBAC. These approaches help you secure your cluster access and provide only the minimum required permissions to developers and operators.

Azure Policy for Kubernetes clusters

This article introduces the core concepts that help you authenticate and assign permissions in AKS: https://docs.microsoft.com/en-us/azure/aks/concepts-identity

Control access to cluster resources using Kubernetes role-based access control and Azure Active Directory identities in Azure Kubernetes Service
AKS provides the following four built-in roles:https://docs.microsoft.com/en-us/azure/aks/manage-azure-rbac

Kindly let us know if you still have more questions on this. . I wish to engage with you offline for a closer look and provide a quick and specialized assistance, please send an email with subject line “Attn:subm” to AzCommunity[at]Microsoft[dot]com referencing this thread and the Azure subscription ID, I will follow-up with you. Once again, apologies for any inconvenience with this issue.
Thanks for your patience and co-operation.

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.


Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Sumarigo-MSFT , Hello Sumanth, sorry for the delay. Due to extremely bad health condition I wasn't able to reply and go through the answer.

As far as I know pod security policy feature is in preview mode and AKS is decommission them.

Now the problem is let say if we apply azure policy of enable non root privilege container then it will be applied to all the accounts and none of the user including admin will be able to run privileged containers.

Whereas if we use PSP then we can combine them with cluster role and cluster role binding to enforce them only to normal users.

While using azure policy how to bifurcate the usage of policy as per roles. Please let me know.

Thank you
Tanul

0 Votes 0 ·