---
controls:
version: "aks-1.0"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
groups:
  - id: 2.1
    text: "Authentication and Authorization"
    checks:
      - id: 2.1.1
        text: "Enable Azure Active Directory Integration"
        type: "manual"
        remediation: |
          Use of OIDC should be implemented in place of client certificates. Cluster administrators can configure Kubernetes role-based access control (RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. See https://docs.microsoft.com/en-us/azure/aks/managed-aad.
        scored: false
      - id: 2.1.2
        text: "Limit access to cluster configuration file"
        type: "manual"
        remediation: |
          Use Azure role-based access control to define access to the Kubernetes configuration file in Azure Kubernetes Service (AKS). See https://docs.microsoft.com/en-us/azure/aks/control-kubeconfig-access
        scored: false

  - id: 2.2
    text: "Logging"
    checks:
      - id: 2.2.1
        text: "Enable logging for the Kubernetes master components"
        type: "manual"
        remediation: "Enable log collection for the Kubernetes master components in the AKS cluster using Diagnostic settings."
        scored: false