How are Azure roles mapped to Kubernetes roles?

Aleksandar Jelić 20 Reputation points

When using "Azure AD authentication with Azure RBAC" we can assign different roles to AD users as Azure role assignments. I found a list of all the possible roles we can use. We can also create custom roles etc. That is clear.

What is not clear to me is, how those roles are mapped to Kubernetes roles and how we can inspect them. Looking at the ClusterRole and Role resources, those built-in roles don't seem to be visible anywhere on the cluster.

My goal is to be able to see how those roles are mapped, exactly, using kubectl, not the Azure docs.
Could you explain what is happening behind the scenes?

Thank you.

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,551 questions
{count} votes

Accepted answer
  1. Ben Gimblett 2,190 Reputation points Microsoft Employee

    @Aleksandar Jelić the role mapping within guard (the service behind the webhook described in the docs which is providing the Azure RBAC integration) is not something the product folks will discuss as it's an implementation detail

    However, if you want to track/see what's going on you can opt into the guard logs via an AKS diagnostic setting and query the results in log analytics (or wherever you decide to send the logs)


    What you can see here, amongst other things is the encache details logged for the auth result - so for example what decision was made for a user , with a given Az RBAC role assignment , for a given kubectl command etc.

0 additional answers

Sort by: Most helpful