K
Q

Are AKS clusters insecure by default if not integrated with AAD?

7/19/2019

I'm reading the docs on integrating AAD with AKS and it doesn't seem like a great solution. It takes the approach of including group membership claims in the token itself, but in JWTs there is a max of 200 group claims allowed - easily surpassed for users in large organizations, since the claims include transitive group membership. There are two much superior approaches:

  1. Associate security groups with roles in the service principal object, then have AKS make authorization decisions based on what roles are in the JWT (docs)
  2. Add the AAD Graph Directory.Read.All scope to the AKS AAD application so AKS can query group membership on request with the on-behalf-of flow (requires AAD admin consent, which is annoying, but whatever).

Since the current solution does not fit our needs, I have to ask - if we can't integrate AAD with AKS then how is the cluster secured? Is it insecure by default?

-- ahelwer
azure
azure-aks
azure-kubernetes
kubernetes

Similar Questions

Kubernetes dynamic pod provisioning
how to get metrics for a node or pod using godaddy/kubernetes-client api?
Running a CI CD pipeline in Jenkins for Microservice based application
Hibernate database connections blowing up

1 Answer

7/19/2019

By default its using Kubernetes security model, when you integrate it with AAD nothing really changes, you just can assign AAD principles to Kubernetes roles. That's it. So its no more secure with AAD integration, its just more convenient to manage permissions using AAD principles compared to having to create users inside kubernetes and grant them permissions

-- 4c74356b41
Source: StackOverflow