question

ENOTTY avatar image
0 Votes"
ENOTTY asked ENOTTY edited

What RBAC role is needed to access the Networking blade in Azure Kubernetes Service?

I'm trying to allow a user access to the Networking blade of an AKS cluster in order to update the API server IP allowlist.

As a manner of debugging, I've given this user the Owner role across the containing resource group and the cluster, but the user is still seeing an error when navigating to the page. Am I missing some other role?

azure-kubernetes-serviceazure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

RamyaHarinarthini-MSFT avatar image
1 Vote"
RamyaHarinarthini-MSFT answered ENOTTY edited

@ENOTTY Apologies for the delay in response and all the inconvenience caused because of the issue.

Enabling access only to the networking blade on AKS could be done through custom RBAC roles. Below command will give the list of available RBAC's-

 Get-AzProviderOperation "Microsoft.Containerservice/*" | FT Operation, Description

I have tried to create one with below. however, it was not working as expected could you please try this once ? & if its not please open a support case for more investigation.


 {
 "Name": "Authrized IP AKS-admin",
 "IsCustom": true,
 "Description": "Manage Authrized IPs in AKS.",
 "Actions": [
 "Microsoft.ContainerService/managedClusters/read"
 ],
 "NotActions": [],
 "DataActions": [
 "Microsoft.ContainerService/managedClusters/limitranges/*",
 "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/"
 ],
 "NotDataActions": [],
 "AssignableScopes": [
 "/subscriptions/75674f20-4004-48a8-aa99-1f92ebaba884"
 ]
 }

To create a Custom Role please check this document :https://docs.microsoft.com/en-us/azure/aks/manage-azure-rbac#create-custom-roles-definitions

Reference document : https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#containers

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ENOTTY Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·
ENOTTY avatar image ENOTTY RamyaHarinarthini-MSFT ·

Yep, this worked. Thanks!!

I had to edit the role definition just a tad, adding a * on line 11

{
    "Name": "Authorized IP AKS-admin",
    "IsCustom": true,
    "Description": "Manage Authorized IPs in AKS.",
    "Actions": [
        "Microsoft.ContainerService/managedClusters/read"
    ],
    "NotActions": [],
    "DataActions": [
        "Microsoft.ContainerService/managedClusters/limitranges/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*"
    ],
    "NotDataActions": [],
    "AssignableScopes": [
        "/subscriptions/<YOUR SUBSCRIPTION ID HERE>"
    ]
}
0 Votes 0 ·