AKS | Disable Administrator local account

Hi,

When deploying an AKS Cluster, local accounts are enabled by default. Even when enabling RBAC or Azure Active Directory integration, –admin access still exists, essentially as a non-auditable backdoor option. With this in mind, AKS offers users the ability to disable local accounts via a flag, disable-local. A field, properties.disableLocalAccounts, has also been added to the managed cluster API to indicate whether the feature has been enabled on the cluster.

Requirements:

az feature register --namespace "Microsoft.ContainerService" --name "DisableLocalAccountsPreview"

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/DisableLocalAccountsPreview')].{Name:name,State:properties.state}"

Disable local account on an existing AKS cluster:

az aks update -g -n --enable-aad --aad-admin-group-object-ids --disable-local

Create a new AKS cluster without any local account:

az aks create -g -n --enable-aad --aad-admin-group-object-ids --disable-local

Maxime.

Démarrez une conversation

Votre adresse e-mail ne sera pas publiée.