[Question] Default for "Authentication and Authorization" on Production-Standard

[misterdohl]

Describe scenario
I'm looking through the different Cluster preset configurations for AKS, and I see that "Production Economy" defaults to "Microsoft Entra ID authentication with Azure RBAC", while "Production Standard" defaults to "Local accounts with Kubernetes RBAC". Afaik the latter gives cluster-admin even when retrieving and using the "ClusterUser" credentials...

Question
Shouldn't "Production-Standard" (which imo is a "better" tier than Economy) default to something that isn't insecure by default?

[microsoft-github-policy-service]

@Azure/aks-portal, @smsft, @aritraghosh would you be able to assist?

[shashankbarsin]

yes, the default in Azure portal for production standard needs to be Entra authentication + Azure RBAC for authorization. Adding @chandraneel and @nanunna for next steps

[MattDePietro1]

Thank you for your feedback on the preset configuration selections for AKS clusters. Security is always our top priority when making these choices. For the "Production Standard" preset, we defaulted to "Local accounts with Kubernetes RBAC" to ensure that every customer can use the AKS cluster directly in the Portal without requiring additional configurations, which could block access and lead to a poor first-time experience. If a customer was to never choose a cluster preset configuration, this is the experience that would be provided. We recognize that this approach might not align with every customer's expectation for enhanced security in higher-tier presets, which is why we created additional presets to give more options/considerations. Your feedback highlights an area we should investigate more. We value your input as it helps us improve, and we will consider how to better package default configurations.

[misterdohl]

Thank you for your reply @MattDePietro1.

Security is always our top priority when making these choices.

If the above is true, then you at least should've fixed the broken design of giving both clusterUser and clusterAdmin the same rights, as it might not be clear to users that this is the case.

According to this thread Microsoft Support has said that "both users will have same permissions when using only RBAC, but this is by design.".

(...) to ensure that every customer can use the AKS cluster directly in the Portal without requiring additional configurations, which could block access and lead to a poor first-time experience. If a customer was to never choose a cluster preset configuration, this is the experience that would be provided.

So if I understand you correctly: You would rather have users deploy AKS "production" clusters with insecure RBAC enabled by default, because it could give a "poor first-time experience"? When Production Standard (again, Production Economy has EntraID by default) is the only tier except test/dev that has this enabled, I had hoped this was something you had overlooked, and not taken a active choice about...