K
Q

How to achieve the RBAC functionality in Azure kubernetes service?

3/5/2019

As of now what i did is that, Created kubernetes cluster and enabled RBAC in web UI while creating the cluster.Inside the cluster i created a namespace named as development1.Now i wanted to give access to a user on some kubernetes resources which are belongs to development1 namespace.For that i created a role and add a user for a particular namespace.

Here is my configuration files:

deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hellonode
  namespace: development1
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: samplenodeapp
    spec:
      containers:
      - name: hellonode
        image: hellonode.azurecr.io/aks-deployments:latest
        ports:
        - containerPort: 3000
      imagePullSecrets:
      - name: webinar

service.yaml

apiVersion: v1
kind: Service
metadata:
  name: hellonode
  namespace: development1
  labels:
    app: samplenodeapp
spec:
  type: LoadBalancer
  ports:
  - port: 3000
  selector:
    app: samplenodeapp

role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: development1
  name: developer-role
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["*"]
rules:
- apiGroups: [""]
  resources: ["pods","pods/log","pods/exec"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]

rolebinding.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: developer-rb
  namespace: development1
subjects:
- kind: User
  name: < Azure_AD_user_object-id>
  apiGroup: "rbac.authorization.k8s.io"
roleRef:
  kind: Role
  name: developer-role
  apiGroup: "rbac.authorization.k8s.io"

Now i am trying to list the pods in deveploment1(namespace) using the command kubectl get pods -n development --user=<Azure _AD_username>. Instead of list the pods, getting the error like

error: You must be logged in to the server (Unauthorized).

Here my doubts are, Is there any necessity to create context for that namespace? and shall i add role in deployment.yaml and service.yaml?

I don't know something which i missed. Could any anybody suggest me, how can i give the permissions for a user on kubernetes resources in Azure?

-- gayathri
azure
azure-aks
azure-kubernetes
kubernetes

Similar Questions

Performance issues of containers in kubernetes pods
Autoscaling AWS nodes in a kubernetes cluster
Do init containers run on the same node as their app container in GKE
Kubernetes on AWS by Kops - dynamic provisioning gp2 fails for single node cluster; PVC is pending;
Unable to access jarfile docker using distroless-debug

1 Answer

3/5/2019

you need to login to Azure Cli as that Azure AD user and pull the k8s config as that user (az aks get-credentials -n xxx -g xxx) and run kubectl get po -n development. I'm not sure what --user parameter means, but I would expect it to try and use that user from your kubeconfig (which you dont have). I cant find any references to allowing user impersonalisation using kubectl.

Dont forget to purge your kubeconfig before hand.

-- 4c74356b41
Source: StackOverflow