Problem with this command: kubectl get nodes

gil 0 Reputation points
2024-03-10T16:09:49.1033333+00:00

I am learning AKS. I just set it up and trying to run this command from my local Azure CLI:

az login

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

kubectl get nodes

And I got this error:

Error from server (Forbidden): nodes is forbidden: User "xxxxxxxxxxxxxxxxxxxxxxx" cannot list resource "nodes" in API group "" at the cluster scope: User does not have access to the resource in Azure. Update role assignment to allow access.

The user is myself who is the owner of this Azure subscription. I also add the owner role in AKS. What else to do to fix this issue?

Access
Access
A family of Microsoft relational database management systems designed for ease of use.
400 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,158 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marcin Policht 26,235 Reputation points MVP
    2024-03-10T16:20:05.77+00:00

    The error message indicates that the Azure user associated with your Azure CLI session (the user represented by "xxxxxxxxxxxxxxxxxxxxxxx") does not have the necessary permissions to list resources of type "nodes" in the Kubernetes cluster.

    To resolve this issue, you need to ensure that the Azure user has the appropriate RBAC (Role-Based Access Control) permissions in the AKS (Azure Kubernetes Service) cluster. Here are the steps to grant the necessary permissions:

    1. Check RBAC Role Assignment: Verify the RBAC role assignment for your Azure user in the AKS cluster. You need to ensure that the user has the appropriate role (e.g., Azure Kubernetes Service Cluster User) assigned to the AKS resource.
    az role assignment list --resource-group <yourResourceGroup> --assignee <userObjectId>
    

    Replace <yourResourceGroup> with the name of your AKS resource group, and <userObjectId> with the Object ID of your Azure user.

    1. Assign RBAC Role: If the user does not have the necessary role assignment, assign the Azure Kubernetes Service Cluster User role to the user:
    az role assignment create --role "Azure Kubernetes Service Cluster User" --assignee <userObjectId> --scope <aksResourceID>
    

    Replace <userObjectId> with the Object ID of your Azure user, and <aksResourceID> with the full resource ID of your AKS cluster (e.g., /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.ContainerService/managedClusters/{aksClusterName}).

    1. Wait for Propagation: It may take a few minutes for the role assignment to propagate. After making the assignment, wait for a short period before attempting to access the AKS cluster again.

    hth Marcin

    0 comments No comments

  2. Luis Arias 7,376 Reputation points
    2024-03-10T17:35:58.5333333+00:00

    Hi gil,

    To solve your issue , you need first to identify the Authentication and Authorization mechanism used by your cluster: Azure portal > AKS Cluster > Settings > Cluster Configuration

    User's image

    These are the 3 option to link the cluster admin role to your account:

    • For Azure AD Authentication with Kubernetes RBAC: You only need to add your user to the group that is bind to the Cluster Admin Role: User's image
    • For Azure AD authentication with Azure RBAC: You need to add your user to RBAC of AKS as you already try. the role is : Azure Kubernetes Service Cluster User Role
    • For Local accounts with Kubernetes RBAC: In this case is completely managed by Kubernetes, I recommend you to move to any of the other configurations, but if you are trying to test this config you can follow here this guied: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-kubernetes-service-rbac-options-in-practice/ba-p/3684275

    Important: In all of the cases be sure to clean your $Kubeconfig cache before retry to use kubectl. Otherwise you will continue receiving the error.

    Let me know if you have further doubts,

    Luis

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.