Cannot Create Azure AKS Namespace with Azure Kubernetes Service RBAC Admin role

Question

I've deployed an Azure Kubernetes Service with the Azure AD authentication with Azure RBAC Authentication mode configured.

I have given myself the

• Azure Kubernetes Service Cluster Admin Role
• Azure Kubernetes Service RBAC Admin

- roles.

And with this I can:

• List deployments
• Create deployments
• Tear down deployments

Across all namespaces.

However neither of these allow me to create a namespace, and from what I can tell no obvious other roles touch on this permission.

For example kubectl create namespace test-namespace Raises:

Error from server (Forbidden): namespaces is forbidden: User "USER AZURE AD" cannot create resource "namespaces" in API group "" at the cluster scope: User does not have access to the resource in Azure. Update role assignment to allow access.

I am aware that pulling credentials with az aks get-credentials -g {Resource Group} --name {CLUSTER NAME} --admin is a workaround, but this particular cluster cannot have Kubertnetes local accounts enabled so this is not an option.

What can I do?

Answer 1

To resolve this issue, create one custom RBAC role with Microsoft.ContainerService/managedClusters/namespaces/write permission under your subscription:

Clone a role with Azure Kubernetes service RBAC Admin:

In permission tab you can find NotDataActions remove the Microsoft.ContainerService/managedClusters/namespaces/write from NotDataActions and add the same permission:

Once the custom role is created, now assign the role assignment:

When I run the namespace command got desired output:

kubectl create namespace test-namespace

Output

Reference: Azure built-in roles - Azure RBAC | Microsoft Learn