Skip to main content
Back to the Azure Footguns Database
SecurityCriticalRareAZF-0075

An AKS cluster with Kubernetes RBAC disabled makes every credential cluster-admin, and only a rebuild fixes it

With enableRBAC: false there is no in-cluster authorization at all: every kubeconfig, service account token, and pipeline credential is effectively cluster-admin. And RBAC cannot be enabled on an existing cluster.

Footgun ID
AZF-0075 (Azure Footgun No. 75)
Azure service
Azure Kubernetes Service
Resource type
Microsoft.ContainerService/managedClusters
Updated
July 9, 2026

What it is

An AKS cluster created with enableRBAC: false. Kubernetes RBAC is the cluster's entire authorization layer: it is what makes a read-only kubeconfig read-only and keeps a workload's service account confined to its namespace. With it disabled, authentication still happens but authorization doesn't, so every credential that can reach the API server, human or workload, has full control of everything in the cluster. It cannot be switched on later; the only fix is rebuilding the cluster.

Impact (security)
Every credential that can reach the API server has full control of every namespace and workload
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

RBAC has been the AKS default for years, so this state is almost always a deliberate day-one choice that outlived its context. Someone building a sandbox or fighting RBAC errors under deadline pressure unchecked the box (or set enableRBAC: false in a template) to make permission problems disappear, and the cluster later graduated into real use. Copied IaC then reproduces the setting silently.

What turns a bad choice into a footgun is that it is irreversible. enableRBAC can only be set at creation; there is no toggle, no az aks update flag, no migration. Fixing it means standing up a new cluster and moving every workload, so the "temporary" sandbox setting becomes permanent by inertia, and each passing month makes the rebuild more expensive.

What it costs / blast radius

The blast radius is total and undifferentiated. Every namespace boundary, every Role and RoleBinding, every least-privilege service account is a no-op: the lowest-value credential in the cluster, a token mounted into some sidecar, a kubeconfig on a former contractor's laptop, carries the same authority as cluster-admin. One compromised pod's service account can read every Secret, delete every workload, and schedule anything. There are no degrees of compromise on such a cluster; any foothold is full control. Rare, but where it exists it tends to sit under production traffic that nobody wants to migrate. (Blast-radius assessment of Kubernetes and Azure behavior, not a measured statistic.)

See it

Footgun: RBAC explicitly disabled at creation — no authorization layer, forever
resource aks 'Microsoft.ContainerService/managedClusters@2024-05-01' = {
  name: 'prod-aks'
  location: location
  // ...identity and agentPoolProfiles omitted for brevity
  properties: {
    dnsPrefix: 'prod-aks'
    enableRBAC: false   // every credential is cluster-admin.
                        // Cannot be changed after creation.
  }
}
Fix: recreate the cluster with RBAC enabled and migrate workloads — there is no in-place toggle
resource aks 'Microsoft.ContainerService/managedClusters@2024-05-01' = {
  name: 'prod-aks-v2'         // a new cluster: enableRBAC is creation-time only
  location: location
  // ...identity and agentPoolProfiles omitted for brevity
  properties: {
    dnsPrefix: 'prod-aks-v2'
    enableRBAC: true          // Roles and RoleBindings actually enforce
    aadProfile: {
      managed: true
      enableAzureRBAC: true   // authorize humans via Azure role assignments
    }
  }
}

How StratoLens helps

StratoLens flags any AKS cluster running with Kubernetes RBAC disabled, automatically and continuously, across every subscription in your tenant. Because the only remedy is a rebuild, the earlier you find one, the cheaper it is to fix, and this is exactly the kind of rare, catastrophic setting a periodic manual review never catches.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.