Azure AKS Permissions and Access Control Explained

Azure Kubernetes Service (AKS) uses Azure Active Directory (AAD) for identity and access control. This means that users and services must authenticate and authorize their access to AKS resources.

To manage access to AKS, you can use Azure RBAC (Role-Based Access Control) to assign permissions to users, groups, and service principals. This allows you to control who can perform specific actions within AKS.

Azure RBAC provides a hierarchical structure for permissions, with built-in roles such as Owner, Contributor, and Reader. These roles determine the level of access a user or service has to AKS resources.

Azure also offers Azure Policy to enforce compliance and governance across your AKS resources.

Assigning permissions in Azure AKS is a crucial step in controlling access to your cluster. There are two Azure roles you can apply to a Microsoft Entra user or group: Azure Kubernetes Service Cluster Admin Role and Azure Kubernetes Service Cluster User Role.

To assign one of these roles, you need to get the resource ID of the AKS cluster and the ID of the Microsoft Entra user account or group. You can do this by running the az aks show command and the az ad user show command. The az role assignment create command is then used to assign the role to the user or group.

If you want to assign permissions to a Microsoft Entra group, you need to update the --assignee parameter with the object ID for the group. You can get the object ID by running the az ad group show command.

Here are the default roles provided by Azure:

To create a custom role, you can use the Azure CLI to create a role definition and then assign it to a user or group.

In some cases, you may need to grant permissions to a service principal. To do this, you need to know the Client ID of the service principal. You can get this by running the az aks show command. Once you have the Client ID, you can grant the “Managed Identity Operator” role to it on the identity you created.

To verify the configuration information, use the az aks get-credentials command to get the kubeconfig definition for your AKS cluster. This command merges the access credentials into the kubeconfig file.

You can then use the kubectl config view command to verify that the context for the cluster shows that the admin configuration information has been applied.

To remove role assignments, use the az role assignment delete command, specifying the account ID and cluster resource ID.

Here are the two Azure roles you can apply to a Microsoft Entra user or group:

To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Microsoft Entra user account or group.

Access Verification is a crucial step in ensuring that users have the right permissions to access and manage resources in an AKS cluster. To verify access, you can use the az aks get-credentials command to get the kubeconfig definition for your cluster.

Using the admin credentials obtained from this command, you can verify that the context for the cluster shows the admin configuration information has been applied by running the kubectl config view command. Your output should look similar to the example output provided.

To check the access provided, you can look at the previous example where access was granted to [email protected]. To verify this access, frog would first need to get the cluster's kubeconfig using the command az aks get-credentials -g MyResourceGroup -n MyManagedCluster.

With the kubeconfig in place, frog can run commands using kubectl only for resources that he has access to. This ensures that users can only view and manage resources for which they have been granted permission.

Removing role permissions is a straightforward process that requires specifying the account ID and cluster resource ID. You can obtain these values from the previous steps.

To delete a role assignment, use the az role assignment delete command. You'll need to provide the account ID and cluster resource ID as parameters.

If you assigned the role to a group, specify the group object ID instead of the account object ID for the --assignee parameter. This is especially important when dealing with groups, as it ensures the correct permissions are removed.

The az role assignment delete command is a powerful tool for managing permissions in AKS clusters. By using it correctly, you can ensure that roles are removed as needed.

Here's a summary of the steps to remove role permissions:

Azure Kubernetes Service (AKS) permissions can be a bit tricky to understand, but don't worry, I've got you covered. There are two Azure roles you can apply to a Microsoft Entra user or group to control access to AKS cluster credentials.

You can choose between the Azure Kubernetes Service Cluster Admin Role and the Azure Kubernetes Service Cluster User Role. These roles determine what users can do within the cluster, and it's essential to assign the right role to the right users.

Users with the clusterUser role have an empty kubeconfig file that prompts a login, and once logged in, they have access based on their Microsoft Entra user or group settings. If you're using Microsoft Entra ID, this is how it works.

On the other hand, users with the clusterAdmin role have admin access, which is perfect for those who need to manage the cluster. This role is also useful if you're not using Microsoft Entra ID.

Here's a quick rundown of the two roles:

Remember, it's crucial to assign the right role to the right users to ensure secure access to your AKS cluster.

You can remove role assignments using the az role assignment delete command, specifying the account ID and cluster resource ID.

To create a custom role, you'll need to define the role definition in JSON format. For example, you can create a custom role called "AKS Namespace Viewer" that only gives read access to namespaces.

The az role definition create command is used to create the role definition. You can then use the az role assignment create command to assign the custom role to a user or group.

To grant cluster permission to an identity, you'll need to know the Client ID of the service principal running the AKS cluster. You can obtain this information using the Azure CLI.

Once you have the Client ID, you can grant the "Managed Identity Operator" role to it on your identity. This involves navigating to the Managed Identity in the Azure portal, selecting Access Control (IAM), and clicking on Role Assignments.

Here's a step-by-step guide to granting the "Managed Identity Operator" role:

1. Locate the Managed Identity you created in the Azure portal and select it.

2. Go to Access Control (IAM).

3. Click on Role Assignments.

4. Click on Add Role Assignment.

5. Select the "Managed Identity Operator" role.

6. Enter the Client ID of the AKS cluster Service Principal in the search box.

7. Click Save.

By following these steps, you can customize permissions in Azure AKS to suit your needs.