I'm trying to give a developer read-only access to an Azure Kubernetes Service (AKS) resource so they can view things like pods and namespaces in the Azure Portal. I've assigned them the `Azure Kubernetes Service RBAC Reader` role, but they still can't access the resource. It seems like they might also need a basic reader role to see the actual resource. Do I need to provide them with generic "reader" access for the AKS resource and also grant them access to the internal AKS roles? What's the best practice for handling permissions for specific resources like this?
4 Answers
I've created an RBAC least privilege calculator and a role viewer that might help you understand permissions better. Hit me up if you want access to that!
Yep, you’re spot on! To give them read access in the Azure Portal, you'll definitely need to assign them the Reader role as well. The `Azure Kubernetes Service RBAC Reader` role provides access to the Data Plane (for reading the AKS cluster resources), while the Reader role gives access to the Control Plane (for viewing resources in the Azure Portal).
Make sure they also have the "Azure Kubernetes Service Cluster User" role. That could be essential for them to access the information they need.
If you're unsure about which authentication method you're using for AKS, you can check that in the portal under the overview tab. If it says "Local accounts with Kubernetes RBAC," then the `Azure Kubernetes Service RBAC Reader` role won't be effective for your developer.
Just a heads up, the `Azure Kubernetes Service RBAC Reader` role works best if you’re using Azure RBAC with Entra ID for AKS authentication. If you’re using something else, it might not work as intended.