Azure Kubernetes Service (AKS) local admin account is enabled
Description
Disabling the local admin account for your Azure Kubernetes Service (AKS) cluster can help improve the security of your cluster. The local admin account has full access to all resources within the cluster, and can make any changes to the cluster and its contents.
//=== Fix - Runtime
//CLI Command
Code Example
go
resource "azurerm_kubernetes_cluster" "ckv_unittest_pass" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
local_account_disabled = true
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
}
identity {
type = "SystemAssigned"
}
tags = {
Environment = "Production"
}
}Remediation
//CLI Command
=== Fix - Buildtime
Terraform
- Resource: azurerm_kubernetes_cluster
- Arguments: local_account_disabled
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0648 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform |
| Checkov ID | CKV_AZURE_141 |