Reputation: 359
Azure Kubernetes - RBAC role for namespace isolation
i would like to know if is possible to isolate namespace on Azure Kubernetes service. Now if i give rbac role to my colleague they can see all namespace, i would like to segregate namespace for department, e.g. data can see only data namespace, dev can see only den namespace etc..
is it possible?
Thanks
Upvotes: 4
Views: 5345
Answers (1)
Reputation: 2807
yes, You have to Enable AKS-managed Azure Active Directory, Role-based access control (RBAC) & Azure RBAC for Kubernetes Authorization. There are 2 options:
az aks create \
-g myResourceGroup \
-n myManagedCluster \
--enable-aad \
--enable-azure-rbac
1st Option:
---
apiVersion: v1
kind: Namespace
metadata:
name: data
labels:
kubernetes.io/metadata.name: data
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: data-view-access
namespace: data
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: Group
namespace: data
name: <GROUP_OBJECT_ID>
2nd Option is to use Azure Custom Roles as explained here and also with this example from user yk1 :
az role assignment create \
--role "Azure Kubernetes Service RBAC Reader" \
--assignee <AAD-ENTITY-ID> \
--scope $AKS_ID/namespaces/<namespace-name>
NOTE: All users must be member of Azure Kubernetes Service Cluster User Role in order the execute az aks get-credentials
Upvotes: 7
Related Questions
- AKS RBAC - Rolebinding has no effect
- Allow everyone in RoleBinding for a namespace
- Kubernetes - ClusterRole with namespace is allowed?
- Controlling application access to different namespace using RBAC in kubernetes
- K8S RBAC role to allow everything except namespaces and service accounts
- Want to restrict namespace users accessing TLS secrets in RBAC Enabled AKS Cluster
- Namespace for User or Role in Kubernetes
- How to achieve the RBAC functionality in Azure kubernetes service?
- How can i do the Role Based Access Control in Azure Kubernetes Service?
- Enabling RBAC on Kubernetes on Azure