AKS RBAC Disabled

  • Query id: b2418936-cd47-4ea2-8346-623c0bdb87bd
  • Query name: AKS RBAC Disabled
  • Platform: Crossplane
  • Severity: Medium
  • Category: Access Control
  • CWE: 311
  • URL: Github

Description

Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: compute.azure.crossplane.io/v1alpha3
kind: AKSCluster
metadata:
  name: anais-crossplane-demo
spec:
  location: eastus
  version: "1.19.7"
  nodeVMSize: Standard_D2_v2
  resourceGroupNameRef:
    name: anais-resource
  dnsNamePrefix: dt
  nodeCount: 2
  disableRBAC: true
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: aks.multik8s.platformref.crossplane.io
  labels:
    provider: AZURE
spec:
  compositeTypeRef:
    apiVersion: multik8s.platformref.crossplane.io/v1alpha1
    kind: AKS
  resources:
    - name: sample-ec2
      base:
        apiVersion: compute.azure.crossplane.io/v1alpha3
        kind: AKSCluster
        metadata:
          name: anais-crossplane-demo
        spec:
          location: eastus
          version: "1.19.7"
          nodeVMSize: Standard_D2_v2
          resourceGroupNameRef:
            name: anais-resource
          dnsNamePrefix: dt
          nodeCount: 2
          disableRBAC: true

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: compute.azure.crossplane.io/v1alpha3
kind: AKSCluster
metadata:
  name: anais-crossplane-demo
spec:
  location: eastus
  version: "1.19.7"
  nodeVMSize: Standard_D2_v2
  resourceGroupNameRef:
    name: anais-resource
  dnsNamePrefix: dt
  nodeCount: 2
  disableRBAC: false
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: aks.multik8s.platformref.crossplane.io
  labels:
    provider: AZURE
spec:
  compositeTypeRef:
    apiVersion: multik8s.platformref.crossplane.io/v1alpha1
    kind: AKS
  resources:
    - name: sample-ec2
      base:
        apiVersion: compute.azure.crossplane.io/v1alpha3
        kind: AKSCluster
        metadata:
          name: anais-crossplane-demo
        spec:
          location: eastus
          version: "1.19.7"
          nodeVMSize: Standard_D2_v2
          resourceGroupNameRef:
            name: anais-resource
          dnsNamePrefix: dt
          nodeCount: 2