What are the roles required to create namespace in Azure Kubernetes Service?

Rachana K P 0 Reputation points
2023-04-28T04:44:09.7933333+00:00

I am getting "namespaces is forbidden: User cannot create resource "namespaces" in API group " at the cluster scope: User does not have access to the resource in Azure. Update role assignment to allow access"

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,859 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prrudram-MSFT 22,056 Reputation points
    2023-04-28T14:25:57.3433333+00:00

    Hello @Rachana K P

    Error:

    Namespaces is forbidden. User cannot create resource "namespaces" in API group " at the cluster scope: User does not have access to the resource in Azure. Update role assignment to allow access

    The error message indicates that the user account you are using does not have the necessary permissions to create namespaces in the Kubernetes cluster.

    To resolve this issue, you will need to update the role assignment for the user account to allow access to the necessary resources. You can do this by following these steps:

    1. Open the Azure portal and navigate to the Kubernetes cluster that you are working with.
    2. Click on "Access control (IAM)" in the left-hand menu.
    3. Click on the "Add" button at the top of the page to add a new role assignment.
    4. In the "Add role assignment" pane, select the appropriate role that grants the necessary permissions to create namespaces. For example, you could select the "Kubernetes Cluster Administrator" role.
    5. In the "Assign access to" section, select "User, group, or service principal".
    6. In the "Select" field, enter the name of the user account that you are using.
    7. Click on the "Save" button to save the new role assignment.

    Once you have updated the role assignment, you should be able to create namespaces in the Kubernetes cluster without encountering an error message.
    Reference: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azure-kubernetes-service-cluster-admin-role

    Please accept answer and upvote if the above information is helpful for the benefit of the community.

    1 person found this answer helpful.
    0 comments
  2. Curtis Barrett 0 Reputation points
    2024-04-18T16:59:40.85+00:00

    For anyone who is like me and still had issues. There are two different roles:

    Azure Kubernetes Service RBAC Admin

    and

    Azure Kubernetes Service RBAC Cluster Admin

    The second one (as mentioned above) is the one that you need. I added the first one and could do everything but namespaces (as the role says when I read the fine print). /sigh

    0 comments