namespace permission

Niren Adhikary (NAD) 146 Reputation points
2022-11-09T18:07:53.49+00:00

Hi,

How to assign Azure Kubernetes Service RBAC Admin role to Service Principal and Azure AD Group for a particular namespace?

I tried following to assign myself the Azure Kubernetes Service RBAC Admin role on the specific namespace.

How do I replace myid@xyz .com to Service Principal Id or Azure AD Group ?

  1. Enable Managed Identity:
    az aks update -g myaksclusterrg -n myakscluster --enable-aad --aad-admin-group-object-ids XXXXX
  2. Enable Azure RBAC
    az aks update -g myaksclusterrg -n myakscluster --enable-azure-rbac
  3. az role assignment create --role "Azure Kubernetes Service RBAC Admin" --assignee myid@xyz .com --scope /subscriptions/ID/resourcegroups/myaksclusterrg/providers/Microsoft.ContainerService/managedClusters/myakscluster/namespaces/mynamespace-name
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,932 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Manu Philip 17,026 Reputation points MVP
    2022-11-09T20:32:18.853+00:00

    I see that following comands helps

    $GROUP_ID = az ad group show --group team1 --query id -o tsv  
    AKS_CLUSTER_ID=$(az aks show --resource-group aks --name aks --query id -o tsv)  
    az role assignment create --assignee $GROUP_ID --role "Azure Kubernetes Service Cluster User Role"  --scope $AKS_CLUSTER_ID  
    

    ----------

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    2 people found this answer helpful.

  2. Manu Philip 17,026 Reputation points MVP
    2022-11-15T04:08:35.377+00:00

    In Kubernetes, Roles define the permissions to grant, and RoleBindings apply them to desired users or groups. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see Using Kubernetes RBAC authorization.

    Create a Role for the namespace. This role grants full permissions to the namespace. In production environments, you can specify more granular permissions for different users or groups.

    Create a file named role-namespace.yaml and paste the following YAML manifest:

    kind: Role  
    apiVersion: rbac.authorization.k8s.io/v1  
    metadata:  
      name: dev-user-full-access  
      namespace: dev  
    rules:  
    - apiGroups: ["", "extensions", "apps"]  
      resources: ["*"]  
      verbs: ["*"]  
    - apiGroups: ["batch"]  
      resources:  
      - jobs  
      - cronjobs  
      verbs: ["*"]  
    

    Apply: kubectl apply -f role-namespace.yaml

    In-order to bind the role to a group, following yaml file to be created and applied

    kind: RoleBinding  
    apiVersion: rbac.authorization.k8s.io/v1  
    metadata:  
      name: dev-user-access  
      namespace: dev  
    roleRef:  
      apiGroup: rbac.authorization.k8s.io  
      kind: Role  
      name: dev-user-full-access  
    subjects:  
    - kind: Group  
      namespace: dev  
      name: groupObjectId  
    

    Apply: kubectl apply -f rolebinding-dev-namespace.yaml

    I haven't tried it personally; however, you can see if the name: <sp object id> helps to assign the permission to service principle also

    0 comments No comments

  3. João Vieira 1 Reputation point Microsoft Employee
    2022-12-05T23:22:43.507+00:00

    Hi there @Niren Adhikary (NAD) ,

    With Azure RBAC enabled, you should be able to run the assignment command that you've used on step 3 (Source)

    az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee **<AAD-ENTITY-ID>** --scope $AKS_ID/namespaces/<namespace-name>  
    

    Replace AAD-ENTITY-ID with your AAD group object id, allow a few minutes for changes to propagate, and it should work.

    Thanks,

    Joao

    0 comments No comments