[英]Azure AKS User Credentials Login to K8 Dashboard and RBAC Built-in Roles
According to the documentation , Azure Kubernetes Service Cluster User Role allows access to Microsoft.ContainerService/managedClusters/listClusterUserCredential/action API call only.根据文档,Azure Kubernetes 服务集群用户角色允许访问 Microsoft.ContainerService/managedClusters/listClusterUserCredential/action ZDB974238714CA8DE634A7CE1D083A1。
My user is part of an AD group that has Azure Kubernetes Service Cluster User Role
permissions on the AKS cluster and all the cluster role and cluster role bindings have been applied via kubectl
.我的用户是具有
Azure Kubernetes Service Cluster User Role
权限的 AKS 集群的 AD 组的一部分,并且所有集群角色和集群角色绑定都已通过kubectl
应用。
I can double check and verify that access to dashboard and permissions work with these steps:我可以通过以下步骤仔细检查并验证对仪表板和权限的访问:
1. az login
2. az aks get-credentials --resource-group rg --name aks
3. kubectl proxy
4. Open web connection
5. Get prompt on terminal to login via device code flow
6. Return to web connection on dashboard
7. I can correctly verify that my permissions apply,
i.e. deleting a job does not work and this falls in line with my
kubectl clusterrole bindings to the Azure AD group.
However when I try to use the az aks browse
command to open the browser automatically like this, ie without kubectl proxy
:但是,当我尝试使用
az aks browse
命令像这样自动打开浏览器时,即没有kubectl proxy
:
1. az login
2. az aks get-credentials --resource-group rg --name aks
3. az aks browse --resource-grouprg --name aks
I keep getting the following error:我不断收到以下错误:
The client 'xxx' with object id 'yyyy' does not have authorization to perform action
'Microsoft.ContainerService/managedClusters/read' over scope
'/subscriptions/qqq/resourceGroups/rg/providers/Microsoft.ContainerService/managedClusters/aks'
or the scope is invalid. If access was recently granted, please refresh your credentials.
A dirty
solution was to apply Reader
role on the AKS cluster for that AD group - then this issue goes away but why does az aks browse
require Microsoft.ContainerService/managedClusters/read
permission and why is that not included in Azure Kubernetes Service Cluster User Role
?一个
dirty
的解决方案是在该 AD 组的 AKS 群集上应用Reader
角色 - 然后这个问题就消失了,但为什么az aks browse
需要Microsoft.ContainerService/managedClusters/read
权限,为什么Azure Kubernetes Service Cluster User Role
中不包含该权限?
What is happening here?这里发生了什么?
Currently, the command目前,该命令
az aks browse --resource-grouprg --name aks
isn't working with the more recent version of AKS, you can find the full details here. az aks browse --resource-grouprg --name aks
不适用于更新版本的 AKS,您可以在此处找到完整的详细信息。
https://github.com/MicrosoftDocs/azure-docs/issues/23789 https://github.com/MicrosoftDocs/azure-docs/issues/23789
Also, your current problem might also be that your user XXX doesn't have the right IAM access level at the Subscription/ResourceGroup level.此外,您当前的问题还可能是您的用户 XXX 在 Subscription/ResourceGroup 级别没有正确的 IAM 访问级别。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.