namespace permission

Niren Adhikary (NAD) 146 Reputation points


How to assign Azure Kubernetes Service RBAC Admin role to Service Principal and Azure AD Group for a particular namespace?

I tried following to assign myself the Azure Kubernetes Service RBAC Admin role on the specific namespace.

How do I replace myid@xyz .com to Service Principal Id or Azure AD Group ?

  1. Enable Managed Identity:
    az aks update -g myaksclusterrg -n myakscluster --enable-aad --aad-admin-group-object-ids XXXXX
  2. Enable Azure RBAC
    az aks update -g myaksclusterrg -n myakscluster --enable-azure-rbac
  3. az role assignment create --role "Azure Kubernetes Service RBAC Admin" --assignee myid@xyz .com --scope /subscriptions/ID/resourcegroups/myaksclusterrg/providers/Microsoft.ContainerService/managedClusters/myakscluster/namespaces/mynamespace-name
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,932 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Manu Philip 17,026 Reputation points MVP

    I see that following comands helps

    $GROUP_ID = az ad group show --group team1 --query id -o tsv  
    AKS_CLUSTER_ID=$(az aks show --resource-group aks --name aks --query id -o tsv)  
    az role assignment create --assignee $GROUP_ID --role "Azure Kubernetes Service Cluster User Role"  --scope $AKS_CLUSTER_ID  


    --please don't forget to upvote and Accept as answer if the reply is helpful--

    2 people found this answer helpful.

  2. Manu Philip 17,026 Reputation points MVP

    In Kubernetes, Roles define the permissions to grant, and RoleBindings apply them to desired users or groups. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see Using Kubernetes RBAC authorization.

    Create a Role for the namespace. This role grants full permissions to the namespace. In production environments, you can specify more granular permissions for different users or groups.

    Create a file named role-namespace.yaml and paste the following YAML manifest:

    kind: Role  
      name: dev-user-full-access  
      namespace: dev  
    - apiGroups: ["", "extensions", "apps"]  
      resources: ["*"]  
      verbs: ["*"]  
    - apiGroups: ["batch"]  
      - jobs  
      - cronjobs  
      verbs: ["*"]  

    Apply: kubectl apply -f role-namespace.yaml

    In-order to bind the role to a group, following yaml file to be created and applied

    kind: RoleBinding  
      name: dev-user-access  
      namespace: dev  
      kind: Role  
      name: dev-user-full-access  
    - kind: Group  
      namespace: dev  
      name: groupObjectId  

    Apply: kubectl apply -f rolebinding-dev-namespace.yaml

    I haven't tried it personally; however, you can see if the name: <sp object id> helps to assign the permission to service principle also

    0 comments No comments

  3. João Vieira 1 Reputation point Microsoft Employee

    Hi there @Niren Adhikary (NAD) ,

    With Azure RBAC enabled, you should be able to run the assignment command that you've used on step 3 (Source)

    az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee **<AAD-ENTITY-ID>** --scope $AKS_ID/namespaces/<namespace-name>  

    Replace AAD-ENTITY-ID with your AAD group object id, allow a few minutes for changes to propagate, and it should work.



    0 comments No comments