Reading Time: 3 minutes
Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

When creating an Azure Kubernetes Service (AKS) cluster, even with Role Based Access Control (RBAC) and Azure Active Directory (Azure AD) integration enabled. By default, you can still use the az aks get-credentials command with the switch –admin to gain admin access. Bypassing all the extra security you have put into place. Thankfully, there are two RBAC roles that users and groups can be added to. This will allow you to limit who can get the Kubernetes configuration (kubeconfig) information.

Below I will show you how to assign users and groups to the RBAC roles.

A little bit about the roles

When interacting with your AKS cluster using the kubectl tool it uses the kubeconfig file. This file is typically stored in ~/.kube/config. You can have multiple clusters stored in this file. To view them all you can use kubectl config show-contexts and to switch between clusters you can use kubectl config use-context clustername.

When you run az aks get-credentials it gets the access credentials for your AKS cluster and merges it into your kubeconfig file. The two roles bellow control the access to these credentials:

  • Azure Kubernetes Service Cluster Admin Role
    • Allows access to Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action API call.
    • Downloads cluster access information for the clusterAdmin role.
  • Azure Kubernetes Service Cluster User Role
    • Allows access to Microsoft.ContainerService/managedClusters/listClusterUserCredential/action API call.
    • Downloads cluster access information for the clusterUser role.

Let’s get to it and assign the role

But first let’s check to see what happens when you use the az aks get-credentials command with –admin switch

Straight in, no issues at all.

Adding a user

The following example will add the current signed in user to the Azure Kubernetes Service Cluster Admin Role (just make sure you enter your clusters name and resource group):

If you would like to add the not currently logged in user just change line 6 and add the UPN of the account you want.

In the image below, I have logged in with a different user and tried the az aks get-credentials –admin command and as you can see, I do not have authorization.

Adding a group

The below example will add the group aks-admin to the Azure Kubernetes Service Cluster Admin Role. Just change the group name to one you have.

If you want to add to the Azure Kubernetes Service Cluster User Role. Then all you need to do is change the last line of the commands above to say that rather than admin.

All in All

This is a nice way to secure your AKS cluster further and I highly recommend that you do this, and don’t forget, you can do this via the portal too if you prefer. It’s just like adding any role assignment on a resource.

So, what are you waiting for, go ahead and secure your AKS clusters?! If you do have any questions or comments, please reach out.

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email
Categories: AKSAzure

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *