Subscription permissions for AKS

Philip Bohlman 1 Reputation point
2021-09-30T14:31:15.653+00:00

I have a consultant setting up AKS in one of my subscriptions. I have provided a resource group, but he claims he requires owner privileges across the entire subscription as aks requires many resource groups and other subscription wide resources. What permissions are appropriate for AKS creation and management, and how broadly is it going to expand?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
655 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,845 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. kobulloc-MSFT 23,181 Reputation points Microsoft Employee
    2021-09-30T15:14:24.277+00:00

    Hello, @Philip Bohlman !

    You are correct, owner privileges across the entire subscription is not a best practice and it is true that there is a relatively long list of permissions needed for everything AKS related however if all you are interested in is AKS creation and management, you can trim that list down.

    Before I get into options, I recommend taking a quick look at the documentation for AKS access and identity. It has a list of AKS service permissions as well as built in roles: https://learn.microsoft.com/en-us/azure/aks/concepts-identity

    Built in roles When looking at the built in roles that are available, Azure Kubernetes Service RBAC Cluster Admin "allows super-user access to perform any action on any resource. Gives full control over every resource in the cluster and in all namespaces." It grants the following permissions:

    136620-image.png

    Custom roles If you wanted to create a custom role, these are the permissions that relate to AKS. There's a bit of a list here and I'm looking through these to see if I can make a better recommendation for your scenario.

    Resources:

    0 comments
  2. kobulloc-MSFT 23,181 Reputation points Microsoft Employee
    2021-10-05T20:21:32.46+00:00

    (Included as an answer due to character limitation)

    The following are all the access and identity options for AKS documentation:
    https://learn.microsoft.com/en-us/azure/aks/concepts-identity

    Identity creating and operating the cluster permissions 

    Microsoft.Compute/diskEncryptionSets/read  
Microsoft.Compute/proximityPlacementGroups/write  
Microsoft.Network/applicationGateways/read  
Microsoft.Network/applicationGateways/write  
Microsoft.Network/virtualNetworks/subnets/join/action  
Microsoft.Network/publicIPAddresses/join/action  
Microsoft.Network/publicIPPrefixes/join/action  
Microsoft.OperationalInsights/workspaces/sharedkeys/read  
Microsoft.OperationalInsights/workspaces/read  
Microsoft.OperationsManagement/solutions/write  
Microsoft.OperationsManagement/solutions/read  
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

    AKS cluster identity permissions 

    Microsoft.ContainerService/managedClusters/*  
Microsoft.Network/loadBalancers/delete  
Microsoft.Network/loadBalancers/read  
Microsoft.Network/loadBalancers/write  
Microsoft.Network/publicIPAddresses/delete  
Microsoft.Network/publicIPAddresses/read  
Microsoft.Network/publicIPAddresses/write  
Microsoft.Network/publicIPAddresses/join/action  
Microsoft.Network/networkSecurityGroups/read  
Microsoft.Network/networkSecurityGroups/write  
Microsoft.Compute/disks/delete  
Microsoft.Compute/disks/read  
Microsoft.Compute/disks/write  
Microsoft.Compute/locations/DiskOperations/read  
Microsoft.Storage/storageAccounts/delete  
Microsoft.Storage/storageAccounts/listKeys/action  
Microsoft.Storage/storageAccounts/read  
Microsoft.Storage/storageAccounts/write  
Microsoft.Storage/operations/read  
Microsoft.Network/routeTables/read  
Microsoft.Network/routeTables/routes/delete  
Microsoft.Network/routeTables/routes/read  
Microsoft.Network/routeTables/routes/write  
Microsoft.Network/routeTables/write  
Microsoft.Compute/virtualMachines/read  
Microsoft.Compute/virtualMachines/write  
Microsoft.Compute/virtualMachineScaleSets/read  
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read  
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read  
Microsoft.Network/networkInterfaces/write  
Microsoft.Compute/virtualMachineScaleSets/write  
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/write  
Microsoft.Network/networkInterfaces/read  
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read  
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipconfigurations/publicipaddresses/read  
Microsoft.Network/virtualNetworks/read  
Microsoft.Network/virtualNetworks/subnets/read  
Microsoft.Compute/snapshots/delete  
Microsoft.Compute/snapshots/read  
Microsoft.Compute/snapshots/write  
Microsoft.Compute/locations/vmSizes/read  
Microsoft.Compute/locations/operations/read

    Additional cluster identity permissions - Needs to be added to the cluster identity after it's created. 

    Microsoft.Network/networkSecurityGroups/write  
Microsoft.Network/networkSecurityGroups/read  
Microsoft.Network/virtualNetworks/subnets/read  
Microsoft.Network/virtualNetworks/subnets/join/action  
Microsoft.Network/routeTables/routes/read  
Microsoft.Network/routeTables/routes/write  
Microsoft.Network/virtualNetworks/subnets/read  
Microsoft.Network/privatednszones/*

    As a single list, that would be: 

    Microsoft.Compute/diskEncryptionSets/read  
Microsoft.Compute/disks/delete  
Microsoft.Compute/disks/read  
Microsoft.Compute/disks/write  
Microsoft.Compute/locations/DiskOperations/read  
Microsoft.Compute/locations/operations/read  
Microsoft.Compute/locations/vmSizes/read  
Microsoft.Compute/proximityPlacementGroups/write  
Microsoft.Compute/snapshots/delete  
Microsoft.Compute/snapshots/read  
Microsoft.Compute/snapshots/write  
Microsoft.Compute/virtualMachines/read  
Microsoft.Compute/virtualMachines/write  
Microsoft.Compute/virtualMachineScaleSets/read  
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read  
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipconfigurations/publicipaddresses/read  
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read  
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read  
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/write  
Microsoft.Compute/virtualMachineScaleSets/write  
Microsoft.ContainerService/managedClusters/*  
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action  
Microsoft.Network/applicationGateways/read  
Microsoft.Network/applicationGateways/write  
Microsoft.Network/loadBalancers/delete  
Microsoft.Network/loadBalancers/read  
Microsoft.Network/loadBalancers/write  
Microsoft.Network/networkInterfaces/read  
Microsoft.Network/networkInterfaces/write  
Microsoft.Network/networkSecurityGroups/read  
Microsoft.Network/networkSecurityGroups/write  
Microsoft.Network/privatednszones/*  
Microsoft.Network/publicIPAddresses/delete  
Microsoft.Network/publicIPAddresses/join/action  
Microsoft.Network/publicIPAddresses/read  
Microsoft.Network/publicIPAddresses/write  
Microsoft.Network/publicIPPrefixes/join/action  
Microsoft.Network/routeTables/read  
Microsoft.Network/routeTables/routes/delete  
Microsoft.Network/routeTables/routes/read  
Microsoft.Network/routeTables/routes/write  
Microsoft.Network/routeTables/write  
Microsoft.Network/virtualNetworks/read  
Microsoft.Network/virtualNetworks/subnets/join/action  
Microsoft.Network/virtualNetworks/subnets/read  
Microsoft.OperationalInsights/workspaces/read  
Microsoft.OperationalInsights/workspaces/sharedkeys/read  
Microsoft.OperationsManagement/solutions/read  
Microsoft.OperationsManagement/solutions/write  
Microsoft.Storage/operations/read  
Microsoft.Storage/storageAccounts/delete  
Microsoft.Storage/storageAccounts/listKeys/action  
Microsoft.Storage/storageAccounts/read  
Microsoft.Storage/storageAccounts/write
    0 comments