Azure Kubernetes - RBAC role for namespace isolation

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

i would like to know if is possible to isolate namespace on Azure Kubernetes service. Now if i give rbac role to my colleague they can see all namespace, i would like to segregate namespace for department, e.g. data can see only data namespace, dev can see only den namespace etc..

is it possible?

Thanks

yes, You have to Enable AKS-managed Azure Active Directory , Role-based access control (RBAC) & Azure RBAC for Kubernetes Authorization . There are 2 options:

az aks create \
  -g myResourceGroup \
  -n myManagedCluster \
  --enable-aad \
  --enable-azure-rbac
1st Option:
apiVersion: v1
kind: Namespace
metadata:
  name: data
  labels:
    kubernetes.io/metadata.name: data
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: data-view-access
  namespace: data
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- kind: Group
  namespace: data
  name: <GROUP_OBJECT_ID>
2nd Option is to use Azure Custom Roles as explained here and also with this example from user yk1 :
az role assignment create \
  --role "Azure Kubernetes Service RBAC Reader" \
  --assignee <AAD-ENTITY-ID> \
  --scope $AKS_ID/namespaces/<namespace-name>
NOTE: All users must be member of Azure Kubernetes Service Cluster User Role in order the execute az aks get-credentials
                you can put this example in there az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee <AAD-ENTITY-ID> --scope $AKS_ID/namespaces/<namespace-name>
– YK1
                Oct 27, 2021 at 21:15
                Hi all, sorry for the delay. Thanks for the example. With that command i can segregate the namespace, so if i create some azure ad group for all namespace eg: rbac_namespace1 rbac_namespace2 ecc... i can set with that command the group to relative namespace? Which role i have to give to manage all aspect of namespace?
– Emanuele
                Nov 12, 2021 at 9:13
                For all Namespaces the user needs Azure Kubernetes Service Cluster User Role & Azure Kubernetes Service RBAC Reader  or if you are using Option1: you can use a ClusterRoleBinding instead of RoleBinding  for the ClusterRole view. Could you please markt the answer as correct to help other users with the same question?
– Philip Welz
                Nov 12, 2021 at 9:22
                Thanks Phil, i prefer to manage via rbac i think. So after that, can i remove user from this role Azure Kubernetes Service Cluster Admin Role, Azure Kubernetes Service Cluster User Role,  Azure Kubernetes Service Contributor Role ? Now we have to put user in all of that role becouse without it, now user can do nothing. I will test today an i will let you now
– Emanuele
                Nov 12, 2021 at 10:48
        Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.