This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 22%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Hello,
I have create an AKS Cluster with AKS-managed Azure Active Directory and Role-based access control (RBAC) Enabled.
If I try to connect with the Cluster by using one of the accounts which are included in the Admin Azure AD groups everything works as it should.
I am having some difficulties when i try to do this with a user which is not a member of Admin Azure AD groups. What I did is the following:
When I then execute the following command: kubectl get pods -n test I get the following error: Error from server (Forbidden): pods is forbidden: User "aksthree@tenantname.onmicrosoft.com" cannot list resource "pods" in API group "" in the namespace "test"
In the Cluster I haven't done any RoleBinding. According to the docu from Microsoft, there is no additional task that should be done in the Cluster ( like for ex. Role definition and RoleBinding).
My expectation is that when a user has the above two roles assigned he should be able to have read rights in the Cluster. Am I doing something wrong?
Please let me know what you think,
Thanks in advance,
Mile
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 59%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Can you make sure that you have azure rbac enabled for the cluster
az aks update -g myrgname -n myakscl --enable-azure-rbac
enableRBAC Whether to enable Kubernetes Role-Based Access Control.
enableAzureRBAC Whether to enable Azure RBAC for Kubernetes authorization.
Do you have enableAzureRBAC turned on, notice how it is different from enableRBAC
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 98%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hello @Mile Mitsev ,
I was able to repro the exact issue in my subscription but after following the document
https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac#create-the-aks-cluster-resources-for-sres
and providing the ClusterRoleBinding to the set of users , I was able to access it.
Here is the sample YAML file:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
Having said that , I will do some additional research on this and will follow-up accordingly to get that document updated with some additional steps.
Regards,
Shiva.
Hi Shiva,
Thank you for the quick answer.
Once I create the Role definition and Role Binding in the cluster things work as they should. when I enabled the RBAC for the cluster a Cluster Role Binding was created in the Cluster.
This is however not the case when I assigned the above mentioned roles to my test user. I am not sure if this is a bug or not..
Please let me know what you think,
Thanks again,
BR
Mile
hi VarunSharma-4299 ,
That did the trick. It is working as expected now.
Thank you for your help.
Best Regards,
Mile