The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Running RBAC on AKS in integration with Azure Active Directory RRS feed

  • Question

  • Hi All, I am implementing rbac in my aks cluster in integration with azure active directory. After creating proper role and rolebindings with respective user/group objectID's, below are my observations:

    1. User with "Azure Kubernetes Service Cluster User Role" and "Reader Role" can access cluster according to assigned rolebinding with command "az aks get-credentials -g <rg> -n <name>".
    2. When above user tries using "az aks get-credentials -g <rg> -n <name> --admin" command, they are not allowed to.
    3. However, if same user is assigned "Azure Kubernetes Service Cluster User Role" and "Contributor Role" in active directory, they can easily get admin credentials with "az aks get-credentials -g <rg> -n <name> --admin" command which should not happen.

    Is there anyway to restrict user with "Contributor Role" to get admin credentials? Or am I doing something wrong?

    @

    Wednesday, October 23, 2019 7:24 AM

Answers

  • Since the Built-In Roles for RBAC is not as per your requirements, you can Create a Custom Role to suit your needs.

    How do you Create a Custom Role ?

    Custom roles are defined as a JSON template. The easiest way to create one of these is to download the role template for one of the existing roles. As we want to expand on the “Contributor” we will download this as our starting point using this PowerShell command.

    Connect-AzureRmAccount
    
    Get-AzureRmRoleDefinition -Name "Contributor" |ConvertTo-Json |Out-File "F:\Contributor.json"

    Now that we have the "Contributor" Role, lets look at another built-in role that might stop the user getting the Admin Credentials like you want. I came across the "Azure Kubernetes Service Cluster Admin Role" by which it lets the assigned user to list the clusterAdmin credential of a managed cluster.

    Now lets get the JSON Template of the role:

    Get-AzureRmRoleDefinition -Name "Azure Kubernetes Service Cluster Admin Role" |ConvertTo-Json |Out-File "F:\Azure Kubernetes Service Cluster Admin Role.json"


    Now that we have both the JSON Templates, lets look at the permissions that are defined in each of them.

    On the Azure Kubernetes Service Cluster Admin Role, there is a action allowed "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"

    Now lets edit the Contributor JSON Template.

    1. Update the name and Description to describe your custom role
    2. Delete the ID field, Azure will create an ID when you create the role
    3. Set IsCustom to true
    4. Change the AssignableScope. You would not have rights to apply this role to all subscriptions, so you need to set it to a specific subscription or list of subscriptions
    5. Add the role definition "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action" under "NotActions"

    At the end the Custom JSON Template would look like this:

    {
        "Name":  "Contributor Role for AKS Reader",
            "IsCustom":  true,
        "Description":  "Lets you manage everything except access to resources and not read AKS Admin credentials.",
        "Actions":  [
                        "*"
                    ],
      "NotActions": [
        "Microsoft.Authorization/*/Delete",
        "Microsoft.Authorization/*/Write",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Blueprint/blueprintAssignments/write",
        "Microsoft.Blueprint/blueprintAssignments/delete",
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"
      ],
        "DataActions":  [
    
                        ],
        "NotDataActions":  [
    
                           ],
      "AssignableScopes": [
        "/subscriptions/cff70094-bae4-47eb-8aaa-36025fa97f3b"
      ]
    }

    Now you have your JSON role definition finished and you need to run the PowerShell command below to create it, referencing the JSON file created:

    New-AzureRmRoleDefinition -InputFile "F:\Contributor for AKS.json"

    Once that is done, the output will show you a summary of the new role.

    Now you can go to the Portal and to the IAM Role Assignment and you will see the new Custom Role there.

    Hope this helps you out.

    -----------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.


    Wednesday, October 23, 2019 10:43 AM
    Moderator

All replies

  • Since the Built-In Roles for RBAC is not as per your requirements, you can Create a Custom Role to suit your needs.

    How do you Create a Custom Role ?

    Custom roles are defined as a JSON template. The easiest way to create one of these is to download the role template for one of the existing roles. As we want to expand on the “Contributor” we will download this as our starting point using this PowerShell command.

    Connect-AzureRmAccount
    
    Get-AzureRmRoleDefinition -Name "Contributor" |ConvertTo-Json |Out-File "F:\Contributor.json"

    Now that we have the "Contributor" Role, lets look at another built-in role that might stop the user getting the Admin Credentials like you want. I came across the "Azure Kubernetes Service Cluster Admin Role" by which it lets the assigned user to list the clusterAdmin credential of a managed cluster.

    Now lets get the JSON Template of the role:

    Get-AzureRmRoleDefinition -Name "Azure Kubernetes Service Cluster Admin Role" |ConvertTo-Json |Out-File "F:\Azure Kubernetes Service Cluster Admin Role.json"


    Now that we have both the JSON Templates, lets look at the permissions that are defined in each of them.

    On the Azure Kubernetes Service Cluster Admin Role, there is a action allowed "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"

    Now lets edit the Contributor JSON Template.

    1. Update the name and Description to describe your custom role
    2. Delete the ID field, Azure will create an ID when you create the role
    3. Set IsCustom to true
    4. Change the AssignableScope. You would not have rights to apply this role to all subscriptions, so you need to set it to a specific subscription or list of subscriptions
    5. Add the role definition "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action" under "NotActions"

    At the end the Custom JSON Template would look like this:

    {
        "Name":  "Contributor Role for AKS Reader",
            "IsCustom":  true,
        "Description":  "Lets you manage everything except access to resources and not read AKS Admin credentials.",
        "Actions":  [
                        "*"
                    ],
      "NotActions": [
        "Microsoft.Authorization/*/Delete",
        "Microsoft.Authorization/*/Write",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Blueprint/blueprintAssignments/write",
        "Microsoft.Blueprint/blueprintAssignments/delete",
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"
      ],
        "DataActions":  [
    
                        ],
        "NotDataActions":  [
    
                           ],
      "AssignableScopes": [
        "/subscriptions/cff70094-bae4-47eb-8aaa-36025fa97f3b"
      ]
    }

    Now you have your JSON role definition finished and you need to run the PowerShell command below to create it, referencing the JSON file created:

    New-AzureRmRoleDefinition -InputFile "F:\Contributor for AKS.json"

    Once that is done, the output will show you a summary of the new role.

    Now you can go to the Portal and to the IAM Role Assignment and you will see the new Custom Role there.

    Hope this helps you out.

    -----------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.


    Wednesday, October 23, 2019 10:43 AM
    Moderator
  • Thank you. This information is useful

    @

    Thursday, October 31, 2019 11:55 AM