Share via

Azure RBAC for AKS Authentication - cannot assign custom roles at namespace scope?

ardn 0 Reputation points
2023-01-16T08:52:04.92+00:00

When using Azure RBAC for AKS Authentication, I have been able to assign built-in roles at the namespace scope. For example Azure Kubernetes Service RBAC Admin.

I have not been able to create a Custom Role with the AssignableScope of Namespace. Is this not possible?

Steps I follow:

In the Subscription I click create a custom role.

I clone a role.

I remove the Sub from assignableScopes.

I select the JSON and click Edit

I add the namespace scope to the list of assignable scopes:

"assignableScopes": [
            "/subscriptions/sub-id-redacted/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster/namespaces/default"
        ],

When I click Save, the Namespace scope to the custom role definition JSON I get this error:

Validation Error: Invalid Scope

Then I click Save a second time and I get:

Screenshot 2023-01-16 at 08.50.00

I am able to save the custom role if the scope is the Cluster but not the Namespace.

The user creating this role has Owner and User Access Admin assigned as well as Cluster Admin assigned and Azure Kubernetes Service RBAC admin on the namespace in question.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
968 questions
Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,447 questions
Microsoft Security Microsoft Entra Microsoft Entra ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adrian Dobrescu 266 Reputation points Microsoft Employee
    2023-01-16T09:07:45.25+00:00

    Hello ardn,

    Yes, it is possible to assign custom Azure RBAC roles at kubernetes namespace level. See the following example:

    1.Create a custom role in Azure using the Azure CLI or Azure PowerShell. For example, you can create a custom role called "pod-reader" that allows read access to pods in a namespace:

    

az role definition create --role-definition '{
  "Name": "pod-reader",
  "IsCustom": true,
  "Description": "Allows read access to pods in a namespace",
  "Actions": [
    "*/read"
  ],
  "NotActions": [],
  "DataActions": [
    "Microsoft.ContainerService/managedClusters/namespaces/pods/*"
  ],
  "NotDataActions": []
}'
    1. Assign the custom role to a user or group. For example, you can assign the "pod-reader" role to a user called "jane":

    az role assignment create --role "pod-reader" --assignee "jane" --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ContainerService/managedClusters/<cluster-name>/namespaces/<namespace-name>

    With above example, user "jane" will have read-only access to pods within the specified namespace in the Kubernetes cluster.
    You can read more information about access and identity concepts in Azure on the official documentation:
    https://learn.microsoft.com/en-us/azure/aks/concepts-identity

    Hope it helps.

    Please "Accept as Answer" and upvote if it helped, so that it can help others in the community looking for help on similar topics.
    Thank you!

  2. Adrian Dobrescu 266 Reputation points Microsoft Employee
    2023-01-16T09:11:48.82+00:00 
    Hello ardn,

Yes, it is possible to assign custom Azure RBAC roles at kubernetes namespace level. See the following example:

1.Create a custom role in Azure using the Azure CLI or Azure PowerShell. For example, you can create a custom role called "pod-reader" that allows read access to pods in a namespace:

Azure CLI

az role definition create --role-definition '{
  "Name": "pod-reader",
  "IsCustom": true,
  "Description": "Allows read access to pods in a namespace",
  "Actions": [
    "*/read"
  ],
  "NotActions": [],
  "DataActions": [
    "Microsoft.ContainerService/managedClusters/namespaces/pods/*"
  ],
  "NotDataActions": []
}'

2.Assign the custom role to a user or group. For example, you can assign the "pod-reader" role to a user called "jane":

az role assignment create --role "pod-reader" --assignee "jane" --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ContainerService/managedClusters/<cluster-name>/namespaces/<namespace-name>

With above example, user "jane" will have read-only access to pods within the specified namespace in the Kubernetes cluster.

You can read more information about access and identity concepts in Azure on the official documentation:
https://learn.microsoft.com/en-us/azure/aks/concepts-identity

Hope it helps.

Please "Accept as Answer" and upvote if it helped, so that it can help others in the community looking for help on similar topics.
Thank you!
    0 comments
  3. KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator
    2023-01-19T01:52:26.1266667+00:00

    Hi @ardn I was able to get more information on this from the Product team.

    Instead of modifying the "assignableScopes", you can use role assignments to bind it to namespace scope.
    See https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac#create-role-assignments-for-users-to-access-cluster
    You can simply modify the Action/DataAction to your preference and not to change the assignable scope (note that it is "assignable", not assignment), then use a role assignment as shown in the document shared above. The doc says -

    User's image

    Assignable scope is used for validating that whether the role is available to be assigned to a given scope. See https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#role-definition
    User's image

    It is a different feature and unrelated to achieving assigning a custom role to a given namespace.

    If you have any question at all, please let me know in the comments. That's the fastest way for me to be notified and I can get further clarity from Product team as needed.

    Hope that helps.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.