Default Local Admin Configuration
AKS clusters are created with local admin account enabled by default, providing a static credential path that bypasses Azure AD authentication and RBAC controls for administrative access.
Authorization bypass due to enabled local admin account in AKS cluster in Terraform
High Risk
infrastructure-security
azureakskubernetesauthenticationauthorization-bypassadmin-accessterraformrbac
What it is
Azure Kubernetes Service (AKS) clusters with enabled local admin accounts create security vulnerabilities by providing static, unrestricted administrative credentials that bypass Azure AD integration and RBAC protections. These accounts can be compromised and provide full cluster control without proper audit trails.
# VULNERABLE: AKS cluster with local admin account enabled
resource "azurerm_kubernetes_cluster" "vulnerable_aks" {
name = "vulnerable-aks-cluster"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
dns_prefix = "vulnerable-aks"
# VULNERABLE: Local admin account enabled (default)
# local_account_disabled = false # This is the default
default_node_pool {
name = "default"
node_count = 2
vm_size = "Standard_B2s"
}
identity {
type = "SystemAssigned"
}
tags = {
environment = "production"
}
}
# VULNERABLE: Production cluster with local admin explicitly enabled
resource "azurerm_kubernetes_cluster" "vulnerable_prod" {
name = "prod-aks-cluster"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
dns_prefix = "prod-aks"
# VULNERABLE: Explicitly enabling local admin
local_account_disabled = false
default_node_pool {
name = "system"
node_count = 3
vm_size = "Standard_D4s_v3"
}
identity {
type = "SystemAssigned"
}
tags = {
environment = "production"
}
}# SECURE: AKS cluster with local admin disabled
resource "azurerm_kubernetes_cluster" "secure_aks" {
name = "secure-aks-cluster"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
dns_prefix = "secure-aks"
# SECURE: Disable local admin account
local_account_disabled = true
default_node_pool {
name = "default"
node_count = 2
vm_size = "Standard_B2s"
}
identity {
type = "SystemAssigned"
}
tags = {
environment = "production"
}
}
# SECURE: Production cluster without local admin
resource "azurerm_kubernetes_cluster" "secure_prod" {
name = "secure-prod-aks-cluster"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
dns_prefix = "secure-prod-aks"
# SECURE: Local admin disabled
local_account_disabled = true
default_node_pool {
name = "system"
node_count = 3
vm_size = "Standard_D4s_v3"
}
identity {
type = "SystemAssigned"
}
tags = {
environment = "production"
}
}💡 Why This Fix Works
The vulnerable examples show AKS clusters with local admin accounts enabled (either by default or explicitly), which creates static administrative credentials that bypass Azure AD authentication. The secure alternative disables local accounts, implements Azure AD integration with RBAC, uses group-based access control, and includes comprehensive security configurations like API server access restrictions and monitoring.
Why it happens
AKS clusters are created with local admin account enabled by default, providing a static credential path that bypasses Azure AD authentication and RBAC controls for administrative access.
Root causes
Fixes
Detect This Vulnerability in Your Code
Sourcery automatically identifies authorization bypass due to enabled local admin account in aks cluster in terraform and many other security issues in your codebase.