This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 4%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
How to remove label from a cluster role binding.
I have a clusterrolebinding that I needed to update by removing one of the subjects --> user. If I edit or delete, the cluster role bindings, it is getting recreated. I am assuming that is because it has a label "addonmanager.kubernetes.io/mode: Reconcile". Updating the role binding to remove the label doesnt help either. It gets re-added.
I tried the following commands with no effect:
kubectl auth reconcile -f remove_clusterUser.yml
kubectl edit clusterrolebinding aks-cluster-admin-binding
Please let me know how do I update the clusterrolebinding without it getting reconciled.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Hi @VL
Thanks for posting your query on Microsoft Q&A. I am looking into it and will get back to you in sometime.
Hello @VL ,
Based on my understanding of your scenario, I see that you are trying to update content of AKS managed Kubernetes objects. This is not supported and thus AKS always tries to reconcile the values back to AKS supplied values.
You are seeing clusterUser as "admin", it typically means that you have not enabled AAD based authentication for the cluster. Let me know if that is not the case and I can investigate further.
All users that have access to az aks get-credential is considered admin, when AAD integration is not enabled.
So I would recommend that instead of removing user from the binding, you can enable AAD integration, which gives diverse identities to each user.
Reference documentation: https://learn.microsoft.com/en-us/azure/aks/managed-aad
https://learn.microsoft.com/en-us/azure/aks/faq
----------
If this answers your query, do click “Accept the answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread.
And, if you have any further query, do let me know in the comments.