To allow a team to install applications such as Dynatrace and Helm charts in Azure Kubernetes Service (AKS) while maintaining the principle of least privilege, you need to assign specific Azure Role-Based Access Control (RBAC) roles and Kubernetes RBAC roles.
Azure RBAC Permissions
First, you need to ensure the team has the necessary permissions to perform actions within the Azure environment. Typically, you would grant the following Azure roles:
- Azure Kubernetes Service Cluster User Role: This role allows users to connect to the Azure Kubernetes Service (AKS) cluster.
- Contributor or Custom Role: If you need more granularity, you may create a custom role that includes the necessary permissions to manage AKS resources.
Steps to Assign Azure RBAC Roles
- Azure Kubernetes Service Cluster User Role:
az role assignment create --assignee <user-or-group-id> --role "Azure Kubernetes Service Cluster User Role" --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerService/managedClusters/<aks-cluster-name>
- Contributor Role:
az role assignment create --assignee <user-or-group-id> --role Contributor --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerService/managedClusters/<aks-cluster-name>
Kubernetes RBAC Permissions
Next, you need to configure Kubernetes RBAC roles to allow the team to install applications within the AKS cluster.
- ClusterRole: Define a ClusterRole with the necessary permissions.
- ClusterRoleBinding: Bind the ClusterRole to the team.
Example Kubernetes RBAC Configuration
Create a ClusterRole
with the necessary permissions to manage resources like Helm charts and applications:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: app-installer
rules:
- apiGroups: [""]
resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["extensions"]
resources: ["deployments", "ingresses", "replicasets"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["helm.toolkit.fluxcd.io"]
resources: ["helmreleases"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
Create a ClusterRoleBinding
to bind the ClusterRole
to the team:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: app-installer-binding
subjects:
- kind: User
name: <user-or-group-name> # Replace with the actual user or group name
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: app-installer
apiGroup: rbac.authorization.k8s.io
Applying the Configuration
- Save the
ClusterRole
configuration to a file, e.g.,app-installer-clusterrole.yaml
. - Apply the
ClusterRole
:kubectl apply -f app-installer-clusterrole.yaml
- Save the
ClusterRoleBinding
configuration to a file, e.g.,app-installer-clusterrolebinding.yaml
. - Apply the
ClusterRoleBinding
:kubectl apply -f app-installer-clusterrolebinding.yaml
Reference Articles
By configuring these Azure and Kubernetes RBAC roles, you can ensure that the team has the minimum necessary permissions to install and manage applications within your AKS cluster. This setup adheres to the principle of least privilege, enhancing the security of your environment.