Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Microsoft Entra ID Integration for AKS Clusters

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Azure Kubernetes Service (AKS) clusters are integrated with Microsoft Entra ID in order to provide granular access to EKS resources.

Security
Operational
excellence

Interacting with the API server is essential for managing an Elastic Kubernetes Service (EKS) cluster. It is crucial to secure access to the API server and restrict it to authorized users only. Integrating Microsoft Entra ID with an EKS cluster streamlines identity and access management by leveraging AAD's centralized authentication and RBAC capabilities. This type of integration enhances security, simplifies user management, and allows for consistent identity controls across both platforms, improving overall operational efficiency and reducing the complexity of managing access to the EKS cluster.

Audit

To determine if Microsoft Entra ID integration is enabled for your AKS clusters, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Kubernetes service and choose Apply to list the Azure Kubernetes Service (AKS) clusters available in the selected subscription.

05 Click on the name (link) of the AKS cluster that you want to examine.

06 In the resource navigation panel, under Settings, select Cluster configuration to access the configuration settings available for the selected AKS cluster.

07 Under Authentication and Authorization, check the configuration option selected from the Authentication and Authorization dropdown list. If the option selected is Local accounts with Kubernetes RBAC, the Microsoft Entra ID integration is not enabled for the selected Azure Kubernetes Service (AKS) cluster.

08 Repeat steps no. 5 – 7 for each AKS cluster provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run aks list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the current subscription: 

az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested AKS cluster names: 

Name                     ResourceGroup
----------------------   ------------------------------
cc-project5-aks-cluster  cloud-shell-storage-westeurope
cc-data-mining-cluster   cloud-shell-storage-westeurope

03 Run aks show command (Windows/macOS/Linux) using the name of the AKS cluster that you want to examine and its associated resource group as the identifier parameters to describe the Microsoft Entra ID integration profile available for the selected AKS cluster: 

az aks show
  --name cc-project5-aks-cluster
  --resource-group cloud-shell-storage-westeurope
  --query 'aadProfile'

If the aks show command does not produce an output output, the Microsoft Entra ID integration is not enabled for the selected Azure Kubernetes Service (AKS) cluster.

04 Repeat step no. 3 for each AKS cluster available within the current Azure subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Microsoft Entra ID integration for your Azure Kubernetes Service (AKS) clusters, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Kubernetes service and choose Apply to list the Azure Kubernetes Service (AKS) clusters available in the selected subscription.

05 Click on the name (link) of the AKS cluster that you want to configure.

06 In the resource navigation panel, under Settings, select Cluster configuration to access the configuration settings available for the selected AKS cluster.

07 Under Authentication and Authorization, perform the following actions:

  1. For Authentication and Authorization select Microsoft Entra ID authentication with Kubernetes RBAC.
  2. For Cluster admin ClusterRoleBinding, click on Choose Microsoft Entra group, and select the group(s) of users that will have administrative access to your EKS cluster.

08 Choose Apply to save the configuration changes.

09 Repeat steps no. 5 – 8 for each AKS cluster that you want to configure, available in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run aks update command (OSX/Linux/UNIX) using the name of the cluster that you want to configure as the identifier parameter, to enable AKS-managed Microsoft Entra integration for the selected Kubernetes RBAC-enabled cluster. Replace [admin-group-id] with the ID of the Microsoft Entra group that you want to grant admin access: 

az aks update
  --name cc-project5-aks-cluster
  --resource-group cloud-shell-storage-westeurope
  --enable-aad 
  --aad-admin-group-object-ids [admin-group-id]

02 Once the update process is completed, the command output should return the information available for the modified AKS cluster: 

{
	"aadProfile": {
		"adminGroupObjectIds": [
			"abcd1234-abcd-1234-abcd-1234abcd1234"
		],
		"clientAppId": null,
		"managed": true,
		"serverAppId": null,
		"serverAppSecret": null,
		"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd"
	},
	"apiServerAccessProfile": null,
	"autoUpgradeProfile": {
		"upgradeChannel": "none"
	},
	"identity": {
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
		"type": "SystemAssigned",
		"userAssignedIdentities": null
	},
	"azureMonitorProfile": null,
	"currentKubernetesVersion": "1.26.3",
	"disableLocalAccounts": false,
	"diskEncryptionSetId": null,
	"dnsPrefix": "cc-project5-aks-cluster-dns",
	"enablePodSecurityPolicy": null,
	"enableRbac": true,
	"extendedLocation": null,
	"fqdn": "cc-project5-aks-cluster-dns-abcd1234.hcp.westeurope.azmk8s.io",
	"fqdnSubdomain": null,
	"httpProxyConfig": null,
	"kubernetesVersion": "1.26.3",
	"linuxProfile": null,
	"location": "westeurope",
	"maxAgentPools": 100,
	"name": "cc-project5-aks-cluster",
	"nodeResourceGroup": "MC_cloud-shell-storage-westeurope_cc-project5-aks-cluster_westeurope",
	"oidcIssuerProfile": {
		"enabled": false,
		"issuerUrl": null
	},
	"podIdentityProfile": null,
	"powerState": {
		"code": "Running"
	},
	"privateFqdn": null,
	"privateLinkResources": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"securityProfile": {
		"azureKeyVaultKms": null,
		"defender": null,
		"imageCleaner": null,
		"workloadIdentity": null
	},
	"servicePrincipalProfile": {
		"clientId": "msi",
		"secret": null
	},
	"sku": {
		"name": "Base",
		"tier": "Free"
	},
	"storageProfile": {
		"blobCsiDriver": null,
		"diskCsiDriver": {
			"enabled": true
		},
		"fileCsiDriver": {
			"enabled": true
		},
		"snapshotController": {
			"enabled": true
		}
	},
	"supportPlan": "KubernetesOfficial",
	"systemData": null,
	"tags": null,
	"type": "Microsoft.ContainerService/ManagedClusters",
	"windowsProfile": null,
	"workloadAutoScalerProfile": {
		"keda": null
	}
}

03 Repeat steps no. 1 and 2 for each Azure Kubernetes Service cluster that you want to configure, available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 8, 2023

Related AKS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Use Microsoft Entra ID Integration for AKS Clusters

Risk Level: High