I'm trying to give a developer read-only access to an Azure Kubernetes Service (AKS) resource so they can view pods, namespaces, and similar things in the Azure Portal. I believe the role they need is the 'Azure Kubernetes Service RBAC Reader'. However, I've read that the RBAC roles provide permissions within Kubernetes clusters, while non-RBAC roles control the cluster's lifecycle management. After assigning the RBAC Reader role, the developer still can't see the resource in the portal. Do I need to assign a general 'Reader' role for the Azure resource as well? It seems that to properly manage access to individual resources, both the AKS resource and internal roles need to be addressed. What are the best practices for setting permissions in this scenario?
3 Answers
I've created an RBAC least privilege calculator as well as a role viewer to help clarify permissions in both control and data planes. If you're interested in better understanding these roles, let me know and I can share it with you!
Make sure to also assign them the 'Azure Kubernetes Service Cluster User' role. This role can seem focused on credential listing but it's important for accessing the AKS resource effectively. Without it, they might still face restrictions even with the RBAC Reader role granted.
Yes, to enable read access in the Azure Portal, you should also provide them with the generic Reader role. Azure operates with a Data Plane and Control Plane; the RBAC Reader role handles permissions in the Data Plane, while the Reader role manages access in the Control Plane. Just a heads-up, the RBAC role only works if your AKS is set up for Azure RBAC with Entra ID authentication.
How can I check if I'm using Entra ID for AKS authentication? I feel unsure about this aspect.
I noticed that the roles seem to center on credential listing. Can you break down what that entails? Are there specific tasks related to this role that I need to be aware of?