question

LiJunHanson-3314 avatar image
0 Votes"
LiJunHanson-3314 asked shivapatpi-MSFT commented

How to enable user to access AKS workloads via Azure portal with Reader subscription

We have read access subscription, and user can not access some resources in AKS like workloads, namespaces etc.
How can we enable user to access AKS resources via Azure portal with Reader subscription?

The ways I've tried is to use AKS-managed AD and K8S RBAC, the specific namespace resource can be accessed by kubectl, but still can not be accessed via portal. Is it a bug?

83056-image.png


83038-image.png


azure-kubernetes-service
image.png (11.0 KiB)
image.png (40.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

shivapatpi-MSFT avatar image
0 Votes"
shivapatpi-MSFT answered shivapatpi-MSFT commented

Hello @LiJunHanson-3314 ,
Thanks for your query !


Can you try out the below steps:
 
  1) Connect to the cluster using –admin flag
        az aks get-credentials -g rgname -n aksclustername --admin

  2) Get the user name UPN for which you want to provide the access using the below command
       az ad signed-in-user show --query userPrincipalName -o tsv

  3) Using the below document

    Create YAML file of Kind: ClusterRoleBinding
 
 
Sample clusterrole.yaml YAML FILE:
 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: UPN of the user from above command
 
 
4) kubectl apply -f C:\clusterrole.yml

Hope above steps helps out in resolving the issue , kindly make sure to "Upvote and Accept the answer"


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

The steps provided is what I have done.
My point is the difference between kubectl view and portal view, as you see, I can get pods info via kubectl in test2 namespace, but I can't filter test2 namespace.

0 Votes 0 ·

Hello @LiJunHanson-3314 ,
There should not be any difference between portal and kubectlview. I did try exact same steps but not able to repro your issue.
I am sure you might be doing some additional steps or some additional config change in applying YAML file.

If you can post your detailed steps, we can try repro'ing from our end .
Did you bind roles to entire cluster or specific to namespace ?
If you have applied clusterrolebinding it should effect to the entire cluster.
In the portal were you able to see other workloads or namespaces ?

0 Votes 0 ·
mukulbana avatar image
0 Votes"
mukulbana answered

Hi @LiJunHanson-3314 ,

If you have "reader" access of the subscription and not able to view resources/components of AKS there could be attributed to either for the scenario below -

  1. You're running a private AKS Cluster?

  2. You've allowed whitelisted certain IP-addresses for API server?



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.