question

MayankMayank-6426 avatar image
0 Votes"
MayankMayank-6426 asked shivapatpi-MSFT answered

Not able to read/write in the AKS Cluster even after assigning Azure Kubernetes Service RBAC Writer role to the user

I have a user named rbacWriterAndConsoleNsReader in my azure portal and assigned him Azure Kubernetes Service Cluster User role and Azure Kubernetes Service RBAC Writer role (scope= full cluster)

But when I try to list namespaces or even pods, it shows the below error :

Error from server (Forbidden): namespaces is forbidden: User "rbacWriterAndConsoleNsReader@mayankprac2outlook.onmicrosoft.com" cannot list resource "namespaces" in API group "" at the cluster scope

PS: NO YAML files should be used (as role here is in-built role provided by Azure), All must be done through Azure CLI

Where am I going wrong ? Can anyone pls explain ?

Thanks in advance !





azure-kubernetes-serviceazure-ad-conditional-accessazure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

shivapatpi-MSFT avatar image
0 Votes"
shivapatpi-MSFT answered

Hello @MayankMayank-6426 ,
Thanks for reaching out to Microsoft Q & A Platform.
Can you validate if your cluster is enabled with AzureRBAC ?
az aks show -g myrg -n myaks --query aadProfile

If not , enable with below command:
az aks update -g myrg -n myaks --enable-azure-rbac

enableRBAC - to enable Kubernetes Role-Based Access Control.
enableAzureRBAC - to enable Azure RBAC for Kubernetes authorization.

One more way is to :-
Create a Security Group , add users to that SG and try giving access to Security group instead of individual users.



Regards,
Shiva.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.