Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
978 questions
Azure RBAC for AKS Issues with Istio related resources
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 51%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Muthukumar, Harinarayanan
6
Reputation points
I have a AKS Cluster with Azure AD Integration and Azure RBAC Enabled . If I grant necessary permission to the Azure AD User basic things such as namespace , pod , deployment etc seem to be working as expected . But we use Istio in our clusters and have been having issues being able to grant an user to list istio resources such as istio virtual service , istio gateway etc.
I read an MS article and created a custom role to allow "Microsoft.ContainerService/managedClusters/*/read" , but even that dosent do the trick . Is there something I am missing or is there no way to make this work with Azure RBAC .
This seems to work if I import the Admin cred , but looking for a way to do this without being have to grant all of the users in our org admin rights on the cluster .
Azure Role-based access control
Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,459 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator2022-08-01T20:05:02.457+00:00 Is enableAzureRbac set to true on the cluster? ("enableAzureRbac": true,)
If you haven't done so already, you need to ensure that RBAC is enabled via Azure CLI, as described here:
az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbacAdditional resources:
https://istio.io/latest/docs/setup/platform-setup/azure/
https://learn.microsoft.com/en-us/azure/aks/servicemesh-about -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
KarishmaTiwari-MSFT 20,777 Reputation points Microsoft Employee Moderator2022-08-08T21:56:27.557+00:00 According to the limitation, the only way to get the CRDs work (this should include the ones from Istio), is to create a custom role and use the "Microsoft.ContainerService/managedClusters/apps/*/read" which basically means all access to all resources for read.
The method for that is described in this guide: Manage Azure RBAC in Kubernetes From Azure - Azure Kubernetes Service | Microsoft Learn.Please take a look at the document shared above and check if the custom role definition was created correctly. Let me know the results.
Sign in to comment
Sign in to answer