Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,462 questions
AKS permissions from azure portal - couple of issues
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 0%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
akhan
206
Reputation points
- i am trying to give a user access to the AKS in azure portal only , we have RBAC enabled/AAD managed cluster. My use case is to use one of the azure RBAC roles to give user permissions to view contents under the 'Kubernetes resources' pane (Namespaces, Workloads, services & ingresses, storage, configuration). The only RBAC role that seems to give that info is the 'Azure Kubernetes Service RBAC Cluster Admin' role , which also gives them admin permission on the cluster which is unacceptable for us. I tried the other AKS RBAC Reader / Writer roles but they dont display any of the information on Azure Portal.
- If i give user RBAC Cluster Admin then it tends to stick even after i have removed the permissions, user is still able to do everything in azure portal as well as on AKS which sounds like a blarring bug.
I have not found any info on this online and i have talked to support who referred me initially to AKS docs and then to this channel
Azure Kubernetes Service
{count} votes
-
SRIJIT-BOSE-MSFT 4,346 Reputation points Microsoft Employee2021-09-08T14:04:25.217+00:00 @akhan , This has been a lingering problem for quite some time and I have seen users face this issue time and again in the past. We have been internally investigating a fix for this issue. In the meanwhile, a possible workaround is to use the
kubectlCLI in conjunction with the Azure Kubernetes Service Cluster User role. Can you please check if that would be feasible in your use-case? In the meanwhile, we shall try to get some traction on this internally.
Sign in to comment
Sign in to answer