question

BohlmanPhilip-3418 avatar image
0 Votes"
BohlmanPhilip-3418 asked kobulloc-MSFT answered

Subscription permissions for AKS

I have a consultant setting up AKS in one of my subscriptions. I have provided a resource group, but he claims he requires owner privileges across the entire subscription as aks requires many resource groups and other subscription wide resources. What permissions are appropriate for AKS creation and management, and how broadly is it going to expand?

azure-kubernetes-serviceazure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

kobulloc-MSFT avatar image
0 Votes"
kobulloc-MSFT answered kobulloc-MSFT edited

Hello, @BohlmanPhilip-3418!

You are correct, owner privileges across the entire subscription is not a best practice and it is true that there is a relatively long list of permissions needed for everything AKS related however if all you are interested in is AKS creation and management, you can trim that list down.

Before I get into options, I recommend taking a quick look at the documentation for AKS access and identity. It has a list of AKS service permissions as well as built in roles:
https://docs.microsoft.com/en-us/azure/aks/concepts-identity


Built in roles
When looking at the built in roles that are available, Azure Kubernetes Service RBAC Cluster Admin "allows super-user access to perform any action on any resource. Gives full control over every resource in the cluster and in all namespaces." It grants the following permissions:

136620-image.png


Custom roles
If you wanted to create a custom role, these are the permissions that relate to AKS. There's a bit of a list here and I'm looking through these to see if I can make a better recommendation for your scenario.


Resources:
- Access and identity options for Azure Kubernetes Service (AKS)
- Azure built-in roles
- Azure resource provider operations


image.png (71.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

kobulloc-MSFT avatar image
0 Votes"
kobulloc-MSFT answered

(Included as an answer due to character limitation)

The following are all the access and identity options for AKS documentation:
https://docs.microsoft.com/en-us/azure/aks/concepts-identity

Identity creating and operating the cluster permissions

 Microsoft.Compute/diskEncryptionSets/read
 Microsoft.Compute/proximityPlacementGroups/write
 Microsoft.Network/applicationGateways/read
 Microsoft.Network/applicationGateways/write
 Microsoft.Network/virtualNetworks/subnets/join/action
 Microsoft.Network/publicIPAddresses/join/action
 Microsoft.Network/publicIPPrefixes/join/action
 Microsoft.OperationalInsights/workspaces/sharedkeys/read
 Microsoft.OperationalInsights/workspaces/read
 Microsoft.OperationsManagement/solutions/write
 Microsoft.OperationsManagement/solutions/read
 Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

AKS cluster identity permissions

 Microsoft.ContainerService/managedClusters/*
 Microsoft.Network/loadBalancers/delete
 Microsoft.Network/loadBalancers/read
 Microsoft.Network/loadBalancers/write
 Microsoft.Network/publicIPAddresses/delete
 Microsoft.Network/publicIPAddresses/read
 Microsoft.Network/publicIPAddresses/write
 Microsoft.Network/publicIPAddresses/join/action
 Microsoft.Network/networkSecurityGroups/read
 Microsoft.Network/networkSecurityGroups/write
 Microsoft.Compute/disks/delete
 Microsoft.Compute/disks/read
 Microsoft.Compute/disks/write
 Microsoft.Compute/locations/DiskOperations/read
 Microsoft.Storage/storageAccounts/delete
 Microsoft.Storage/storageAccounts/listKeys/action
 Microsoft.Storage/storageAccounts/read
 Microsoft.Storage/storageAccounts/write
 Microsoft.Storage/operations/read
 Microsoft.Network/routeTables/read
 Microsoft.Network/routeTables/routes/delete
 Microsoft.Network/routeTables/routes/read
 Microsoft.Network/routeTables/routes/write
 Microsoft.Network/routeTables/write
 Microsoft.Compute/virtualMachines/read
 Microsoft.Compute/virtualMachines/write
 Microsoft.Compute/virtualMachineScaleSets/read
 Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
 Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read
 Microsoft.Network/networkInterfaces/write
 Microsoft.Compute/virtualMachineScaleSets/write
 Microsoft.Compute/virtualMachineScaleSets/virtualmachines/write
 Microsoft.Network/networkInterfaces/read
 Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read
 Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipconfigurations/publicipaddresses/read
 Microsoft.Network/virtualNetworks/read
 Microsoft.Network/virtualNetworks/subnets/read
 Microsoft.Compute/snapshots/delete
 Microsoft.Compute/snapshots/read
 Microsoft.Compute/snapshots/write
 Microsoft.Compute/locations/vmSizes/read
 Microsoft.Compute/locations/operations/read

Additional cluster identity permissions - Needs to be added to the cluster identity after it's created.

 Microsoft.Network/networkSecurityGroups/write
 Microsoft.Network/networkSecurityGroups/read
 Microsoft.Network/virtualNetworks/subnets/read
 Microsoft.Network/virtualNetworks/subnets/join/action
 Microsoft.Network/routeTables/routes/read
 Microsoft.Network/routeTables/routes/write
 Microsoft.Network/virtualNetworks/subnets/read
 Microsoft.Network/privatednszones/*


As a single list, that would be:

 Microsoft.Compute/diskEncryptionSets/read
 Microsoft.Compute/disks/delete
 Microsoft.Compute/disks/read
 Microsoft.Compute/disks/write
 Microsoft.Compute/locations/DiskOperations/read
 Microsoft.Compute/locations/operations/read
 Microsoft.Compute/locations/vmSizes/read
 Microsoft.Compute/proximityPlacementGroups/write
 Microsoft.Compute/snapshots/delete
 Microsoft.Compute/snapshots/read
 Microsoft.Compute/snapshots/write
 Microsoft.Compute/virtualMachines/read
 Microsoft.Compute/virtualMachines/write
 Microsoft.Compute/virtualMachineScaleSets/read
 Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read
 Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipconfigurations/publicipaddresses/read
 Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read
 Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
 Microsoft.Compute/virtualMachineScaleSets/virtualmachines/write
 Microsoft.Compute/virtualMachineScaleSets/write
 Microsoft.ContainerService/managedClusters/*
 Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
 Microsoft.Network/applicationGateways/read
 Microsoft.Network/applicationGateways/write
 Microsoft.Network/loadBalancers/delete
 Microsoft.Network/loadBalancers/read
 Microsoft.Network/loadBalancers/write
 Microsoft.Network/networkInterfaces/read
 Microsoft.Network/networkInterfaces/write
 Microsoft.Network/networkSecurityGroups/read
 Microsoft.Network/networkSecurityGroups/write
 Microsoft.Network/privatednszones/*
 Microsoft.Network/publicIPAddresses/delete
 Microsoft.Network/publicIPAddresses/join/action
 Microsoft.Network/publicIPAddresses/read
 Microsoft.Network/publicIPAddresses/write
 Microsoft.Network/publicIPPrefixes/join/action
 Microsoft.Network/routeTables/read
 Microsoft.Network/routeTables/routes/delete
 Microsoft.Network/routeTables/routes/read
 Microsoft.Network/routeTables/routes/write
 Microsoft.Network/routeTables/write
 Microsoft.Network/virtualNetworks/read
 Microsoft.Network/virtualNetworks/subnets/join/action
 Microsoft.Network/virtualNetworks/subnets/read
 Microsoft.OperationalInsights/workspaces/read
 Microsoft.OperationalInsights/workspaces/sharedkeys/read
 Microsoft.OperationsManagement/solutions/read
 Microsoft.OperationsManagement/solutions/write
 Microsoft.Storage/operations/read
 Microsoft.Storage/storageAccounts/delete
 Microsoft.Storage/storageAccounts/listKeys/action
 Microsoft.Storage/storageAccounts/read
 Microsoft.Storage/storageAccounts/write
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.