Problem with this command: kubectl get nodes

Question

I am learning AKS. I just set it up and trying to run this command from my local Azure CLI:

az login

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

kubectl get nodes

And I got this error:

Error from server (Forbidden): nodes is forbidden: User "xxxxxxxxxxxxxxxxxxxxxxx" cannot list resource "nodes" in API group "" at the cluster scope: User does not have access to the resource in Azure. Update role assignment to allow access.

The user is myself who is the owner of this Azure subscription. I also add the owner role in AKS. What else to do to fix this issue?

Answer 1

The error message indicates that the Azure user associated with your Azure CLI session (the user represented by "xxxxxxxxxxxxxxxxxxxxxxx") does not have the necessary permissions to list resources of type "nodes" in the Kubernetes cluster.

To resolve this issue, you need to ensure that the Azure user has the appropriate RBAC (Role-Based Access Control) permissions in the AKS (Azure Kubernetes Service) cluster. Here are the steps to grant the necessary permissions:

1. Check RBAC Role Assignment: Verify the RBAC role assignment for your Azure user in the AKS cluster. You need to ensure that the user has the appropriate role (e.g., Azure Kubernetes Service Cluster User) assigned to the AKS resource.

az role assignment list --resource-group <yourResourceGroup> --assignee <userObjectId>

Replace <yourResourceGroup> with the name of your AKS resource group, and <userObjectId> with the Object ID of your Azure user.

2. Assign RBAC Role: If the user does not have the necessary role assignment, assign the Azure Kubernetes Service Cluster User role to the user:

az role assignment create --role "Azure Kubernetes Service Cluster User" --assignee <userObjectId> --scope <aksResourceID>

Replace <userObjectId> with the Object ID of your Azure user, and <aksResourceID> with the full resource ID of your AKS cluster (e.g., /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.ContainerService/managedClusters/{aksClusterName}).

3. Wait for Propagation: It may take a few minutes for the role assignment to propagate. After making the assignment, wait for a short period before attempting to access the AKS cluster again.

---

hth Marcin

Answer 2

Hi gil,

To solve your issue , you need first to identify the Authentication and Authorization mechanism used by your cluster: Azure portal > AKS Cluster > Settings > Cluster Configuration

These are the 3 option to link the cluster admin role to your account:

• For Azure AD Authentication with Kubernetes RBAC: You only need to add your user to the group that is bind to the Cluster Admin Role:
• For Azure AD authentication with Azure RBAC: You need to add your user to RBAC of AKS as you already try. the role is : Azure Kubernetes Service Cluster User Role
• For Local accounts with Kubernetes RBAC: In this case is completely managed by Kubernetes, I recommend you to move to any of the other configurations, but if you are trying to test this config you can follow here this guied: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-kubernetes-service-rbac-options-in-practice/ba-p/3684275

Important: In all of the cases be sure to clean your $Kubeconfig cache before retry to use kubectl. Otherwise you will continue receiving the error.

Let me know if you have further doubts,

Luis