Identity and access management considerations for AKS

Your organization or enterprise needs to design suitable security settings to meet their requirements. Identity and access management covers multiple aspects like cluster identities, workload identities, and operator access.

Design considerations

  • Decide what cluster identity is being used (managed identity and service principal).
  • Decide how to authenticate cluster access (client certificate-based or Azure Active Directory).
  • Decide on a multitenancy cluster and how to set up role-based access control (RBAC) in Kubernetes.
    • Decide on a method for isolation (namespace, network policy, compute (node pool), or cluster).
    • Decide about Kubernetes RBAC roles and compute allocation per application team for isolation.
    • Decide whether application teams can read other workloads in their cluster or in other clusters.
  • Decide about custom Azure RBAC roles for your AKS landing zone.
    • Decide what permissions are needed for the site reliability engineering (SRE) role to administer/troubleshoot the whole cluster.
    • Decide what permissions are needed for SecOps.
    • Decide what permissions are needed for the landing zone owner.
    • Decide what permissions are needed for the application teams to deploy into the cluster.
  • Decide whether you need workload identities (Azure AD pod identities). They might be needed for Azure services like Azure Key Vault integration, Azure Cosmos DB, and others.

Design recommendations