Are AKS clusters insecure by default if not integrated with AAD?

0
votes

I'm reading the docs on integrating AAD with AKS and it doesn't seem like a great solution. It takes the approach of including group membership claims in the token itself, but in JWTs there is a max of 200 group claims allowed - easily surpassed for users in large organizations, since the claims include transitive group membership. There are two much superior approaches:

  1. Associate security groups with roles in the service principal object, then have AKS make authorization decisions based on what roles are in the JWT (docs)
  2. Add the AAD Graph Directory.Read.All scope to the AKS AAD application so AKS can query group membership on request with the on-behalf-of flow (requires AAD admin consent, which is annoying, but whatever).

Since the current solution does not fit our needs, I have to ask - if we can't integrate AAD with AKS then how is the cluster secured? Is it insecure by default?

1
azurekubernetesazure-aks

1 Answers

1
votes

By default its using Kubernetes security model, when you integrate it with AAD nothing really changes, you just can assign AAD principles to Kubernetes roles. That's it. So its no more secure with AAD integration, its just more convenient to manage permissions using AAD principles compared to having to create users inside kubernetes and grant them permissions