Share via

Custom Role with least privileged permission to install apps in AKS

Rahul 241 Reputation points
2024-06-24T19:37:27.16+00:00

Hi Team,

We are using Azure RBAC for authentication and authorization in AKS and with this authentication we want to grant access to a team to install apps on the AKS what are the minimum permission we need to give to an app teams to install apps like Dynatrace, Helm charts in AKS. We want to make sure we have the basic minimum permission assigned to this team to allow install of these tools. If anyone have any reference article or have already implemented this custom role let us know.

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,950 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganeshkumar R 265 Reputation points
    2024-06-24T19:41:51.63+00:00

    To allow a team to install applications such as Dynatrace and Helm charts in Azure Kubernetes Service (AKS) while maintaining the principle of least privilege, you need to assign specific Azure Role-Based Access Control (RBAC) roles and Kubernetes RBAC roles.

    Azure RBAC Permissions

    First, you need to ensure the team has the necessary permissions to perform actions within the Azure environment. Typically, you would grant the following Azure roles:

    1. Azure Kubernetes Service Cluster User Role: This role allows users to connect to the Azure Kubernetes Service (AKS) cluster.
    2. Contributor or Custom Role: If you need more granularity, you may create a custom role that includes the necessary permissions to manage AKS resources.

    Steps to Assign Azure RBAC Roles

    1. Azure Kubernetes Service Cluster User Role: 
      
   az role assignment create --assignee <user-or-group-id> --role "Azure Kubernetes Service Cluster User Role" --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerService/managedClusters/<aks-cluster-name>
    2. Contributor Role: 
      
   az role assignment create --assignee <user-or-group-id> --role Contributor --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerService/managedClusters/<aks-cluster-name>

    Kubernetes RBAC Permissions

    Next, you need to configure Kubernetes RBAC roles to allow the team to install applications within the AKS cluster.

    1. ClusterRole: Define a ClusterRole with the necessary permissions.
    2. ClusterRoleBinding: Bind the ClusterRole to the team.

    Example Kubernetes RBAC Configuration

    Create a ClusterRole with the necessary permissions to manage resources like Helm charts and applications:

    
apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole

metadata:

  name: app-installer

rules:

- apiGroups: [""]

  resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets"]

  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]

- apiGroups: ["apps"]

  resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]

  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]

- apiGroups: ["batch"]

  resources: ["jobs", "cronjobs"]

  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]

- apiGroups: ["extensions"]

  resources: ["deployments", "ingresses", "replicasets"]

  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]

- apiGroups: ["rbac.authorization.k8s.io"]

  resources: ["roles", "rolebindings"]

  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]

- apiGroups: ["helm.toolkit.fluxcd.io"]

  resources: ["helmreleases"]

  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]

    Create a ClusterRoleBinding to bind the ClusterRole to the team:

    
apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

  name: app-installer-binding

subjects:

- kind: User

  name: <user-or-group-name>  # Replace with the actual user or group name

  apiGroup: rbac.authorization.k8s.io

roleRef:

  kind: ClusterRole

  name: app-installer

  apiGroup: rbac.authorization.k8s.io

    Applying the Configuration

    1. Save the ClusterRole configuration to a file, e.g., app-installer-clusterrole.yaml.
    2. Apply the ClusterRole: 
      
   kubectl apply -f app-installer-clusterrole.yaml
    3. Save the ClusterRoleBinding configuration to a file, e.g., app-installer-clusterrolebinding.yaml.
    4. Apply the ClusterRoleBinding: 
      
   kubectl apply -f app-installer-clusterrolebinding.yaml

    Reference Articles

    By configuring these Azure and Kubernetes RBAC roles, you can ensure that the team has the minimum necessary permissions to install and manage applications within your AKS cluster. This setup adheres to the principle of least privilege, enhancing the security of your environment.