Adding a group of users to a group with AKS permissions ate resource group level fails to provide necessary permissions

Benjamin Mask 0 Reputation points
2024-05-27T17:51:56.1966667+00:00

If I correctly understand Azure then there are 3 scopes at which resource permissions can be applied:

  • Subscription
  • Resource Group
  • Resource

I have an AKS cluster, a group "AKS-Admins" (with all roles required to access the cluster applied at the scope of the resource group that the cluster is in), and then another group Team-B with a collection of users on that team. I put the Team-B group as a member of AKS-Admins but those users cannot access the cluster. If I check the access control on the cluster resource for those user's, however, it does show that they have:
Azure Kubernetes Service Cluster Admin Role
and
Azure Kubernetes Service RBAC Cluster Admin

roles inherited.

What's going on?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
825 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,138 questions
{count} votes

1 answer

Sort by: Most helpful
  1. akinbade abiola 18,130 Reputation points
    2024-05-27T18:35:22.9233333+00:00

    Hello Benjamin Mask,

    Thanks for your question.

    Based on the information you provided it may be as a result of Kubernetes RBAC roles rather than Azure RBAC.To check this you can run below and confirm it for the affected group:

    kubectl get clusterrolebinding
    
    

    See external doc here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

    Also, you can further confirm the RBAC roles using the documentation here:

    https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac

    Please let me know if you have further questions**

    You can mark it 'Accept Answer' if this helped.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.