What it is
An AKS cluster where disableLocalAccounts is not set to true, which is the Azure default. Local accounts mean the cluster will issue certificate-based credentials, most famously the static cluster-admin kubeconfig behind az aks get-credentials --admin, that authenticate directly to the API server with no Entra ID involved. Whoever holds the file is cluster-admin, indefinitely, with no identity attached.
Why it happens
Local accounts are enabled unless you explicitly disable them, and disabling them requires the cluster to have Entra ID integration configured first, so the default survives on clusters created before that integration was wired up, and on plenty created after. The --admin flag is also genuinely useful: it is the standard break-glass move when Entra sign-in misbehaves or someone locks themselves out of RBAC, so teams keep it "just in case."
The trap is what that convenience costs. The admin kubeconfig is a bearer credential: it bypasses Entra authentication, conditional access, MFA, and Kubernetes RBAC bindings tied to identities. It gets copied into CI variables, laptops, and wikis, and none of your identity tooling knows it exists. Offboarding an engineer or rotating an Entra credential does nothing to it.
What it costs / blast radius
The blast radius is full, anonymous control of the cluster. Every copy of the admin kubeconfig is cluster-admin: read every Secret, exec into every pod, deploy anything, and the audit log attributes it to the shared local identity rather than a person. There is no per-user revocation, taking one holder's access away means rotating the cluster's certificates and re-issuing for everyone. Combined with a public API server (AZF-0073), a kubeconfig that leaked from a laptop backup or CI log is usable from anywhere on the internet. (Blast-radius assessment of Azure's default behavior, not a measured incident statistic.)
See it
resource aks 'Microsoft.ContainerService/managedClusters@2024-05-01' = {
name: 'prod-aks'
location: location
// ...identity and agentPoolProfiles omitted for brevity
properties: {
dnsPrefix: 'prod-aks'
// disableLocalAccounts not set — defaults to false.
// 'az aks get-credentials --admin' hands out a static
// cluster-admin kubeconfig with no identity behind it.
}
}resource aks 'Microsoft.ContainerService/managedClusters@2024-05-01' = {
name: 'prod-aks'
location: location
// ...identity and agentPoolProfiles omitted for brevity
properties: {
dnsPrefix: 'prod-aks'
aadProfile: {
managed: true // Entra ID integration (required first)
enableAzureRBAC: true // authorize with Azure RBAC role assignments
}
disableLocalAccounts: true // no more identity-less admin kubeconfigs
}
}How StratoLens helps
StratoLens flags every AKS cluster that still allows local accounts, automatically and continuously, across all your subscriptions. Instead of wondering which clusters have an untraceable admin kubeconfig floating around, you get the list, and you see when the setting changes.