question

MLM-2836 avatar image
0 Votes"
MLM-2836 asked MLM-2836 answered

Azure RBAC and AKS not working as expected

Hello,

I have create an AKS Cluster with AKS-managed Azure Active Directory and Role-based access control (RBAC) Enabled.
If I try to connect with the Cluster by using one of the accounts which are included in the Admin Azure AD groups everything works as it should.
I am having some difficulties when i try to do this with a user which is not a member of Admin Azure AD groups. What I did is the following:
- created a new user
- assigned the roles Azure Kubernetes Service Cluster User Role and Azure Kubernetes Service RBAC Reader to this user.
- Execute the following command: az aks get-credentials --resource-group RG1 --name aksttest

When I then execute the following command: kubectl get pods -n test I get the following error: Error from server (Forbidden): pods is forbidden: User "aksthree@tenantname.onmicrosoft.com" cannot list resource "pods" in API group "" in the namespace "test"

In the Cluster I haven't done any RoleBinding. According to the docu from Microsoft, there is no additional task that should be done in the Cluster ( like for ex. Role definition and RoleBinding).

My expectation is that when a user has the above two roles assigned he should be able to have read rights in the Cluster. Am I doing something wrong?

Please let me know what you think,
Thanks in advance,
Mile


azure-kubernetes-serviceazure-rbac
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you make sure that you have azure rbac enabled for the cluster

az aks update -g myrgname -n myakscl --enable-azure-rbac

enableRBAC Whether to enable Kubernetes Role-Based Access Control.
enableAzureRBAC Whether to enable Azure RBAC for Kubernetes authorization.

0 Votes 0 ·
VarunSharma-4299 avatar image
1 Vote"
VarunSharma-4299 answered

Do you have enableAzureRBAC turned on, notice how it is different from enableRBAC

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

shivapatpi-MSFT avatar image
0 Votes"
shivapatpi-MSFT answered

Hello @MLM-2836 ,
I was able to repro the exact issue in my subscription but after following the document
https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac#create-the-aks-cluster-resources-for-sres
and providing the ClusterRoleBinding to the set of users , I was able to access it.

Here is the sample YAML file:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: username@something.com


Having said that , I will do some additional research on this and will follow-up accordingly to get that document updated with some additional steps.



Regards,
Shiva.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MLM-2836 avatar image
0 Votes"
MLM-2836 answered

Hi Shiva,

Thank you for the quick answer.
Once I create the Role definition and Role Binding in the cluster things work as they should. when I enabled the RBAC for the cluster a Cluster Role Binding was created in the Cluster.
This is however not the case when I assigned the above mentioned roles to my test user. I am not sure if this is a bug or not..
Please let me know what you think,

Thanks again,
BR
Mile

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MLM-2836 avatar image
0 Votes"
MLM-2836 answered

hi VarunSharma-4299 ,

That did the trick. It is working as expected now.
Thank you for your help.

Best Regards,
Mile

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.