C-0250 - Minimize cluster access to read-only for Azure Container Registry (ACR)
Prerequisites
Integrate with cloud provider (see here)
Framework
cis-aks-t1.2.0
Severity
Medium
Description of the the issue
The Cluster Service Account does not require administrative access to Azure ACR, only requiring pull access to containers to deploy onto Azure AKS. Restricting permissions follows the principles of least privilege and prevents credentials from being abused beyond the required role.
Related resources
What does this control test
Configure the Cluster Service Account with Storage Object Viewer Role to only allow read-only access to Azure Container Registry (ACR)
How to check it manually
Remediation
Impact Statement
A separate dedicated service account may be required for use by build servers and other robot users pushing or managing container images.
Default Value
Example
No example
Updated 4 months ago