Do you have enableAzureRBAC turned on, notice how it is different from enableRBAC
Azure RBAC and AKS not working as expected
Hello,
I have create an AKS Cluster with AKS-managed Azure Active Directory and Role-based access control (RBAC) Enabled.
If I try to connect with the Cluster by using one of the accounts which are included in the Admin Azure AD groups everything works as it should.
I am having some difficulties when i try to do this with a user which is not a member of Admin Azure AD groups. What I did is the following:
- created a new user
- assigned the roles Azure Kubernetes Service Cluster User Role and Azure Kubernetes Service RBAC Reader to this user.
- Execute the following command: az aks get-credentials --resource-group RG1 --name aksttest
When I then execute the following command: kubectl get pods -n test I get the following error: Error from server (Forbidden): pods is forbidden: User "aksthree@tenantname.onmicrosoft.com" cannot list resource "pods" in API group "" in the namespace "test"
In the Cluster I haven't done any RoleBinding. According to the docu from Microsoft, there is no additional task that should be done in the Cluster ( like for ex. Role definition and RoleBinding).
My expectation is that when a user has the above two roles assigned he should be able to have read rights in the Cluster. Am I doing something wrong?
Please let me know what you think,
Thanks in advance,
Mile
3 additional answers
Sort by: Newest
-
Mile Mitsev 21 Reputation points
2021-10-22T12:41:31.113+00:00 hi VarunSharma-4299 ,
That did the trick. It is working as expected now.
Thank you for your help.Best Regards,
Mile -
Mile Mitsev 21 Reputation points
2021-10-20T13:12:32.393+00:00 Hi Shiva,
Thank you for the quick answer.
Once I create the Role definition and Role Binding in the cluster things work as they should. when I enabled the RBAC for the cluster a Cluster Role Binding was created in the Cluster.
This is however not the case when I assigned the above mentioned roles to my test user. I am not sure if this is a bug or not..
Please let me know what you think,Thanks again,
BR
Mile -
shiva patpi 13,141 Reputation points Microsoft Employee
2021-10-19T23:44:42.7+00:00 Hello @Mile Mitsev ,
I was able to repro the exact issue in my subscription but after following the document
https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac#create-the-aks-cluster-resources-for-sres
and providing the ClusterRoleBinding to the set of users , I was able to access it.Here is the sample YAML file:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:- apiGroup: rbac.authorization.k8s.io
kind: User
name: username@something .com
Having said that , I will do some additional research on this and will follow-up accordingly to get that document updated with some additional steps.
Regards,
Shiva. - apiGroup: rbac.authorization.k8s.io