How can block azure aks get-credentials --admin and allow azure aks get-credentials only on azure?

Use azure aks get-credentials --admin can get kubernetes admin config file and azure aks get-credentials can get only user config file on azure.

How to set something to deny user run azure aks get-credentials --admin?

Solution

well, be default they cant run it, unless they have specific azure permissions. so by default you dont have to do anything. they shouldnt have this specific permission:

Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action

which they would get if they are contributor for the AKS resource or resource group. They need this permission to get user credentials:

Microsoft.ContainerService/managedClusters/listClusterUserCredential/action

Unable to locate executable file: 'bash'. Please verify either the file path exists
"We're sorry, your sql database is unavailable" What does this mean exactly in Azure SQL?
How do I login to an Azure AD Joined VM using Azure AD Credentials on an Windows Server 2019?
Migrating from validate-jwt to validate-azure-ad-token policy
Azure C# Cosmos DB: Property "id" is missing when it's actually present
Azure Permission - needed for creating resource group - RBAC
Can the Azure Service Bus be delayed before retrying a message?
azure documentdb create document duplicates Id property
JWT validation failure error in azure apim
How to Add JVM Arguments in Azure Application Service?
Azure App Service and Application Insights where is performance test?
Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
Change Default Service Version of Microsoft Azure Blob - PHP
Microsoft Graph: How to filter users by domain name
Azure App Service Plan CPU Spikes to 100%
Unable to Authenticate to DevOps API with Angual MSAL
Query all Azure WAF rules using Azure Resource Graph Explorer
Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
Attaching a private static ip address to Azure Container Instance
Azure Synapse severless SQL pool - query execution fails
How to login via Service Principal having Federated Credentials rather than Client Secrets
Where can I find the resource id of an Azure function app in the Azure portal?
How to forward access-control-allow-origin header from a Web App to a Front Door?
Basic SQL commands in Terraform
Linux Azure Webjob in nodejs referring to node.exe
Running Azure functions locally gives "No runtime" error after .NET7 upgrade
Azure DataSync tables not showing up
Azure ML: Unable to find workspace
unable to start 'Docker for windows' on Azure Win 10 VM