Does AKS supports pod security admission at cluster level?

Tanul 1,251 Reputation points
2023-05-28T18:08:48.4866667+00:00

Hello,

Is it possible to create Pod security admission at cluster level as described here. If yes, then

  1. How to add usernames in exemptions section in case of RBAC based AKS
  2. Should we add AD group object id

Please suggest. Thank you.

Kind Regards,

Tanul

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,992 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Prrudram-MSFT 23,051 Reputation points
    2023-06-19T08:18:25.47+00:00

    @Tanul

    Yes, it is possible to create Pod security admission at cluster level as described in the documentation
    To add usernames in exemptions section in case of RBAC based AKS, you can use Azure RBAC to define access to the Kubernetes configuration file in AKS. You can assign users built-in roles or create custom roles using Azure RBAC mechanisms and APIs, just as you would with Kubernetes roles. With this feature, you not only give users permissions to the AKS resource across subscriptions, but you also configure the role and permissions for inside each of those clusters controlling Kubernetes API access.

    You can add AD group object id to the group claims for applications by using Azure Active Directory.

    Sources:

    https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/aks/concepts-identity.md

    https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/hybrid/connect/how-to-connect-fed-group-claims.md

    https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/aks/manage-azure-rbac.md

    If this does answer your question, please accept it as the answer as a token of appreciation.

    0 comments No comments