AKS RBAC Disabled
- Query id: 149fa56c-4404-4f90-9e25-d34b676d5b39
- Query name: AKS RBAC Disabled
- Platform: Ansible
- Severity: Medium
- Category: Access Control
- CWE: Ongoing
- URL: Github
Description¶
Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: Create an AKS instance
azure_rm_aks:
name: myAKS
resource_group: myResourceGroup
location: eastus
dns_prefix: akstest
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
client_secret: "Password1234!"
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_DS1_v2
type: VirtualMachineScaleSets
max_count: 3
min_count: 1
enable_rbac: no
- name: Create an AKS instance v2
azure_rm_aks:
name: myAKS
resource_group: myResourceGroup
location: eastus
dns_prefix: akstest
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
client_secret: "Password1234!"
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_DS1_v2
type: VirtualMachineScaleSets
max_count: 3
min_count: 1
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Create an AKS instance v3
azure_rm_aks:
name: myAKS
resource_group: myResourceGroup
location: eastus
dns_prefix: akstest
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: cf72ca99-f6b9-4004-b0e0-bee10c521948
client_secret: Password1234!
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_DS1_v2
type: VirtualMachineScaleSets
max_count: 3
min_count: 1
enable_rbac: yes