Share via

namespace permission

Niren Adhikary (NAD) 146 Reputation points
2022-11-09T18:07:53.49+00:00

Hi,

How to assign Azure Kubernetes Service RBAC Admin role to Service Principal and Azure AD Group for a particular namespace?

I tried following to assign myself the Azure Kubernetes Service RBAC Admin role on the specific namespace.

How do I replace myid@xyz .com to Service Principal Id or Azure AD Group ?

  1. Enable Managed Identity:
    az aks update -g myaksclusterrg -n myakscluster --enable-aad --aad-admin-group-object-ids XXXXX
  2. Enable Azure RBAC
    az aks update -g myaksclusterrg -n myakscluster --enable-azure-rbac
  3. az role assignment create --role "Azure Kubernetes Service RBAC Admin" --assignee myid@xyz .com --scope /subscriptions/ID/resourcegroups/myaksclusterrg/providers/Microsoft.ContainerService/managedClusters/myakscluster/namespaces/mynamespace-name
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,146 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manu Philip 18,676 Reputation points MVP
    2022-11-09T20:32:18.853+00:00

    I see that following comands helps 

    $GROUP_ID = az ad group show --group team1 --query id -o tsv  
AKS_CLUSTER_ID=$(az aks show --resource-group aks --name aks --query id -o tsv)  
az role assignment create --assignee $GROUP_ID --role "Azure Kubernetes Service Cluster User Role"  --scope $AKS_CLUSTER_ID

    ----------

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    2 people found this answer helpful.
  2. Manu Philip 18,676 Reputation points MVP
    2022-11-15T04:08:35.377+00:00

    In Kubernetes, Roles define the permissions to grant, and RoleBindings apply them to desired users or groups. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see Using Kubernetes RBAC authorization.

    Create a Role for the namespace. This role grants full permissions to the namespace. In production environments, you can specify more granular permissions for different users or groups.

    Create a file named role-namespace.yaml and paste the following YAML manifest: 

    kind: Role  
apiVersion: rbac.authorization.k8s.io/v1  
metadata:  
  name: dev-user-full-access  
  namespace: dev  
rules:  
- apiGroups: ["", "extensions", "apps"]  
  resources: ["*"]  
  verbs: ["*"]  
- apiGroups: ["batch"]  
  resources:  
  - jobs  
  - cronjobs  
  verbs: ["*"]

    Apply: kubectl apply -f role-namespace.yaml

    In-order to bind the role to a group, following yaml file to be created and applied 

    kind: RoleBinding  
apiVersion: rbac.authorization.k8s.io/v1  
metadata:  
  name: dev-user-access  
  namespace: dev  
roleRef:  
  apiGroup: rbac.authorization.k8s.io  
  kind: Role  
  name: dev-user-full-access  
subjects:  
- kind: Group  
  namespace: dev  
  name: groupObjectId

    Apply: kubectl apply -f rolebinding-dev-namespace.yaml

    I haven't tried it personally; however, you can see if the name: <sp object id> helps to assign the permission to service principle also

    0 comments
  3. João Vieira 1 Reputation point Microsoft Employee
    2022-12-05T23:22:43.507+00:00

    Hi there @Niren Adhikary (NAD) ,

    With Azure RBAC enabled, you should be able to run the assignment command that you've used on step 3 (Source)

    az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee **<AAD-ENTITY-ID>** --scope $AKS_ID/namespaces/<namespace-name>

    Replace AAD-ENTITY-ID with your AAD group object id, allow a few minutes for changes to propagate, and it should work.

    Thanks,

    Joao

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.