azure-docs RBAC requirements for Control Plane / Kubelet omit mention that Contributor is required and will be self-assigned

We've recently discovered AKS is incapable of operating in a least-privilege model. When deployed using Managed Identities which have been assigned the required RBAC actions the service still attempts to self-escalate to Contributor.

By assigning Contributor to a Managed Identity that MI becomes an attack vector to our enterprise. For this reason we do not allow Contributor -- period, and due to this undocumented requirement it means AKS is not viable in a least-privilege mode.

Please revise the documentation to include all roles required as part of operating in a Bring Your Own Identity model.

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

ID: 92b18eba-07a5-dbbf-b697-0264e326f4d4
Version Independent ID: 8c025ef6-38a6-eca5-7729-8f040fbbbe10
Content: Concepts - Access and identity in Azure Kubernetes Services (AKS) - Azure Kubernetes Service
Content Source: articles/aks/concepts-identity.md
Service: azure-kubernetes-service
GitHub Login: @palma21
Microsoft Alias: jpalma

Jun 01 '23 00:06 SWolfeCAI

@SWolfeCAI Thanks for your feedback! We will investigate and update as appropriate.

Jun 01 '23 04:06 SaibabaBalapur-MSFT

Thank you, this was confirmed with Microsoft SME's - Michael Withrow (AKS Security Lead, if I recall), and Lukman Balunywa, our consulting Cloud Architect.

Jun 01 '23 12:06 SWolfeCAI

@SWolfeCAI We are going to close this thread as resolved but if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation.

Jun 02 '23 16:06 AjayBathini-MSFT

@SWolfeCAI We are going to close this thread as resolved but if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation.

This has not been completed, we are still finding that the requirement for Contributor is required and undocumented.

Please re-open this until the documentation is accurate, or until AKS is capable of running with a reasonable set of documented permissions.

Sep 29 '23 14:09 SWolfeCAI