Kubernetes Services

Kubernetes RBAC Disabled

Risk Level: High

Description

The plugin checks that role-based Access Control is enabled for better control and management of clusters on all Kubernetes service instances. Providing privileges without proper authorization causes mismanagement and raise unwanted consequences and risks for the system.

About the Service

Kubernetes services: Azure provides a fully managed container management service called azure Kubernetes services. It enables continuous integration and deployment of software. The service offers scalability, end to end deployment and availability. Kubernetes helps in facilitating communication between the containers, its management and auto-scaling.

Impact

The Role-Based Access Control (RBAC) allows better control and management of clusters on all Kubernetes services. With Azure RBAC, access can be divided within the teams on the basis of their roles and resources. Giving unnecessary privileges causes mismanagement and raises unwanted consequences and risks for the system.

Steps to Reproduce

  1. Login to the Azure portal.
  2. Click on Kubernetes services under Services or type “Kubernetes services” in the search box.
  3. Select any one of the provided accounts to check for the issue.
  4. From the navigation bar, select Cluster configuration from Settings
  5. Under Kubernetes authentication and authorization, check that the state of Rule-based access control is set to “Enabled”. If not, go to the Steps for remediation section.
  6. Repeat for other clusters as well.

Steps for Remediation

  1. Login to the Azure portal.
  2. Click on Kubernetes services under Services or type “Kubernetes services” in the search box.
  3. Select any one of the provided accounts to check for the issue.
  4. From the navigation bar, select Cluster configuration from Settings
  5. Under Kubernetes authentication and authorization, if the state of Rule-based access control is not set to “Enabled”. We will have to recreate the Kubernetes cluster with the same configuration as of the present account because RBAC can only be enabled during account creation. To create a new Kubernetes cluster follow the below-given steps:
    1. On Kubernetes service dashboard. Click on +create. Fill in the required details under the Basics tab and set the configurations as required under other tabs. 
      pasted image 0 (1) 
    2. Under the Authentication tab, select “Enabled” for Role-based access control(RBAC). Then click on Review + create
    3. After reviewing the configurations, click on Create.
  6. Repeat for other clusters as well.

Please feel free to reach out to support@pingsafe.ai with any questions that you may have.

Thanks

PingSafe Support