Why does 'Azure Kubernetes Service RBAC Reader' role allow deployments write

Question

The built-in Azure role Azure Kube.netes Service RBAC Reader is described as:

Allows read-only access to see most objects in a namespace....

Then why does it allow the following action:

Microsoft.Resources/deployments/write

which is described as

Creates or updates an deployment.

How is this not a security issue?

Answer 1

There is two field you will be able to see if you open Kubernetes Cluster through a portal.

1. Action: This lists all Azure Kubernetes service role.
2. Data Action: This is main that describes about specific role ie, what are the action you able to perform on data.

Microsoft.Resources /deployments/write this is not belongs to Azure Kubernetes Service RBAC Reader Role. If you go to DataAction of RBAC Reader there no writes role. This Action belongs to Azure Kubernetes Service RBAC Write Role. See the below Picture.

Note: Microsoft.Resources contains Microsoft.ContainerService/managedCluster/apps resource as well

Microsoft.Resources /deployments/write it has mention in Action Section not DataAction Section of Azure Kubernetes Service RBAC Reader Role.

Answer 2

It seems to me that this permission was added by mistake. See this Github issue :

The action "Microsoft.Resources/deployments/write" does not affect the k8s resources. Only data actions affect the k8s resources via Azure RBAC ie the permissions mentioned in the dataactions field. So it will not affect the Azure RBAC you set for the k8s resources in the cluster. The action "Microsoft.Resources/deployments/write" is usually added for built-in roles.

Two of the answers read,

[...] I will follow up that internally on removing that action. [...]

and

[...] we are working to see what "Write" permissions we can remove without breaking things [...]