What it is
An AKS cluster created with enableRBAC: false. Kubernetes RBAC is the cluster's entire authorization layer: it is what makes a read-only kubeconfig read-only and keeps a workload's service account confined to its namespace. With it disabled, authentication still happens but authorization doesn't, so every credential that can reach the API server, human or workload, has full control of everything in the cluster. It cannot be switched on later; the only fix is rebuilding the cluster.
Why it happens
RBAC has been the AKS default for years, so this state is almost always a deliberate day-one choice that outlived its context. Someone building a sandbox or fighting RBAC errors under deadline pressure unchecked the box (or set enableRBAC: false in a template) to make permission problems disappear, and the cluster later graduated into real use. Copied IaC then reproduces the setting silently.
What turns a bad choice into a footgun is that it is irreversible. enableRBAC can only be set at creation; there is no toggle, no az aks update flag, no migration. Fixing it means standing up a new cluster and moving every workload, so the "temporary" sandbox setting becomes permanent by inertia, and each passing month makes the rebuild more expensive.
What it costs / blast radius
The blast radius is total and undifferentiated. Every namespace boundary, every Role and RoleBinding, every least-privilege service account is a no-op: the lowest-value credential in the cluster, a token mounted into some sidecar, a kubeconfig on a former contractor's laptop, carries the same authority as cluster-admin. One compromised pod's service account can read every Secret, delete every workload, and schedule anything. There are no degrees of compromise on such a cluster; any foothold is full control. Rare, but where it exists it tends to sit under production traffic that nobody wants to migrate. (Blast-radius assessment of Kubernetes and Azure behavior, not a measured statistic.)
See it
resource aks 'Microsoft.ContainerService/managedClusters@2024-05-01' = {
name: 'prod-aks'
location: location
// ...identity and agentPoolProfiles omitted for brevity
properties: {
dnsPrefix: 'prod-aks'
enableRBAC: false // every credential is cluster-admin.
// Cannot be changed after creation.
}
}resource aks 'Microsoft.ContainerService/managedClusters@2024-05-01' = {
name: 'prod-aks-v2' // a new cluster: enableRBAC is creation-time only
location: location
// ...identity and agentPoolProfiles omitted for brevity
properties: {
dnsPrefix: 'prod-aks-v2'
enableRBAC: true // Roles and RoleBindings actually enforce
aadProfile: {
managed: true
enableAzureRBAC: true // authorize humans via Azure role assignments
}
}
}How StratoLens helps
StratoLens flags any AKS cluster running with Kubernetes RBAC disabled, automatically and continuously, across every subscription in your tenant. Because the only remedy is a rebuild, the earlier you find one, the cheaper it is to fix, and this is exactly the kind of rare, catastrophic setting a periodic manual review never catches.