Your organization or enterprise needs to design suitable security settings to meet their requirements. Identity and access management covers multiple aspects like cluster identities, workload identities, and operator access.
- Decide what cluster identity is being used (managed identity and service principal).
- Decide how to authenticate cluster access (client certificate-based or Azure Active Directory).
- Decide on a multitenancy cluster and how to set up role-based access control (RBAC) in Kubernetes.
- Decide on a method for isolation (namespace, network policy, compute (node pool), or cluster).
- Decide about Kubernetes RBAC roles and compute allocation per application team for isolation.
- Decide whether application teams can read other workloads in their cluster or in other clusters.
- Decide about custom Azure RBAC roles for your AKS landing zone.
- Decide what permissions are needed for the site reliability engineering (SRE) role to administer/troubleshoot the whole cluster.
- Decide what permissions are needed for SecOps.
- Decide what permissions are needed for the landing zone owner.
- Decide what permissions are needed for the application teams to deploy into the cluster.
- Decide whether you need workload identities (Azure AD pod identities). They might be needed for Azure services like Azure Key Vault integration, Azure Cosmos DB, and others.