Best practices for authentication and authorization in Azure Kubernetes Service (AKS)
As you deploy and maintain clusters in Azure Kubernetes Service (AKS), you need to implement ways to manage access to resources and services. Without these controls, accounts may have access to resources and services they don't need. It can also be hard to track which set of credentials were used to make changes.
This best practices article focuses on how a cluster operator can manage access and identity for AKS clusters. In this article, you learn how to:
- Authenticate AKS cluster users with Azure Active Directory
- Control access to resources with role-based access controls (RBAC)
- Use a managed identity to authenticate themselves with other services
Use Azure Active Directory
Best practice guidance - Deploy AKS clusters with Azure AD integration. Using Azure AD centralizes the identity management component. Any change in user account or group status is automatically updated in access to the AKS cluster. Use Roles or ClusterRoles and Bindings, as discussed in the next section, to scope users or groups to least amount of permissions needed.
The developers and application owners of your Kubernetes cluster need access to different resources. Kubernetes doesn't provide an identity management solution to control which users can interact with what resources. Instead, you typically integrate your cluster with an existing identity solution. Azure Active Directory (AD) provides an enterprise-ready identity management solution, and can integrate with AKS clusters.
With Azure AD-integrated clusters in AKS, you create Roles or ClusterRoles that define access permissions to resources. You then bind the roles to users or groups from Azure AD. These Kubernetes role-based access controls (RBAC) are discussed in the next section. The integration of Azure AD and how you control access to resources can be seen in the following diagram:
- Developer authenticates with Azure AD.
- The Azure AD token issuance endpoint issues the access token.
- The developer performs an action using the Azure AD token, such as
kubectl create pod
- Kubernetes validates the token with Azure Active Directory and fetches the developer's group memberships.
- Kubernetes role-based access control (RBAC) and cluster policies are applied.
- Developer's request is successful or not based on previous validation of Azure AD group membership and Kubernetes RBAC and policies.
To create an AKS cluster that uses Azure AD, see Integrate Azure Active Directory with AKS.
Use role-based access controls (RBAC)
Best practice guidance - Use Kubernetes RBAC to define the permissions that users or groups have to resources in the cluster. Create roles and bindings that assign the least amount of permissions required. Integrate with Azure AD so any change in user status or group membership is automatically updated and access to cluster resources is current.
In Kubernetes, you can provide granular control of access to resources in the cluster. Permissions can be defined at the cluster level, or to specific namespaces. You can define what resources can be managed, and with what permissions. These roles are the applied to users or groups with a binding. For more information about Roles, ClusterRoles, and Bindings, see Access and identity options for Azure Kubernetes Service (AKS).
As an example, you can create a Role that grants full access to resources in the namespace named finance-app, as shown in the following example YAML manifest:
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: finance-app-full-access-role namespace: finance-app rules: - apiGroups: [""] resources: ["*"] verbs: ["*"]
A RoleBinding is then created that binds the Azure AD user firstname.lastname@example.org to the RoleBinding, as shown in the following YAML manifest:
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: finance-app-full-access-role-binding namespace: finance-app subjects: - kind: User name: email@example.com apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: finance-app-full-access-role apiGroup: rbac.authorization.k8s.io
When firstname.lastname@example.org is authenticated against the AKS cluster, they have full permissions to resources in the finance-app namespace. In this way, you logically separate and control access to resources. Kubernetes RBAC should be used in conjunction with Azure AD-integration, as discussed in the previous section.
To see how to use Azure AD groups to control access to Kubernetes resources using RBAC, see Control access to cluster resources using role-based access controls and Azure Active Directory identities in AKS.
Use pod identities
Best practice guidance - Don't use fixed credentials within pods or container images, as they are at risk of exposure or abuse. Instead, use pod identities to automatically request access using a central Azure AD identity solution. Pod identities is intended for use with Linux pods and container images only.
When pods need access to other Azure services, such as Cosmos DB, Key Vault, or Blob Storage, the pod needs access credentials. These access credentials could be defined with the container image or injected as a Kubernetes secret, but need to be manually created and assigned. Often, the credentials are reused across pods, and aren't regularly rotated.
Managed identities for Azure resources (currently implemented as an associated AKS open source project) let you automatically request access to services through Azure AD. You don't manually define credentials for pods, instead they request an access token in real time, and can use it to access only their assigned services. In AKS, two components are deployed by the cluster operator to allow pods to use managed identities:
- The Node Management Identity (NMI) server is a pod that runs as a DaemonSet on each node in the AKS cluster. The NMI server listens for pod requests to Azure services.
- The Managed Identity Controller (MIC) is a central pod with permissions to query the Kubernetes API server and checks for an Azure identity mapping that corresponds to a pod.
When pods request access to an Azure service, network rules redirect the traffic to the Node Management Identity (NMI) server. The NMI server identifies pods that request access to Azure services based on their remote address, and queries the Managed Identity Controller (MIC). The MIC checks for Azure identity mappings in the AKS cluster, and the NMI server then requests an access token from Azure Active Directory (AD) based on the pod's identity mapping. Azure AD provides access to the NMI server, which is returned to the pod. This access token can be used by the pod to then request access to services in Azure.
In the following example, a developer creates a pod that uses a managed identity to request access to an Azure SQL Server instance:
- Cluster operator first creates a service account that can be used to map identities when pods request access to services.
- The NMI server and MIC are deployed to relay any pod requests for access tokens to Azure AD.
- A developer deploys a pod with a managed identity that requests an access token through the NMI server.
- The token is returned to the pod and used to access an Azure SQL Server instance.
Managed pod identities is an open source project, and is not supported by Azure technical support.
To use pod identities, see Azure Active Directory identities for Kubernetes applications.
This best practices article focused on authentication and authorization for your cluster and resources. To implement some of these best practices, see the following articles:
For more information about cluster operations in AKS, see the following best practices: