Cannot Create Azure AKS Namespace with Azure Kubernetes Service RBAC Admin role
I've deployed an Azure Kubernetes Service with the Azure AD authentication with Azure RBAC Authentication mode configured.
I have given myself the
Azure Kubernetes Service Cluster Admin RoleAzure Kubernetes Service RBAC Admin
- roles.
And with this I can:
- List deployments
- Create deployments
- Tear down deployments
Across all namespaces.
However neither of these allow me to create a namespace, and from what I can tell no obvious other roles touch on this permission.
For example kubectl create namespace test-namespace Raises:
Error from server (Forbidden): namespaces is forbidden: User "USER AZURE AD" cannot create resource "namespaces" in API group "" at the cluster scope: User does not have access to the resource in Azure. Update role assignment to allow access.
I am aware that pulling credentials with az aks get-credentials -g {Resource Group} --name {CLUSTER NAME} --admin is a workaround, but this particular cluster cannot have Kubertnetes local accounts enabled so this is not an option.
What can I do?
To resolve this issue, create one custom RBAC role with Microsoft.ContainerService/managedClusters/namespaces/write permission under your subscription:
Clone a role with Azure Kubernetes service RBAC Admin:
In permission tab you can find NotDataActions remove the Microsoft.ContainerService/managedClusters/namespaces/write from NotDataActions and add the same permission:
Once the custom role is created, now assign the role assignment:
When I run the namespace command got desired output:
kubectl create namespace test-namespace
Reference: Azure built-in roles - Azure RBAC | Microsoft Learn
- Azure C# Cosmos DB: Property "id" is missing when it's actually present
- Azure Permission - needed for creating resource group - RBAC
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- Can the Azure Service Bus be delayed before retrying a message?
- azure documentdb create document duplicates Id property
- JWT validation failure error in azure apim
- Azure App Service and Application Insights where is performance test?
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Change Default Service Version of Microsoft Azure Blob - PHP
- Microsoft Graph: How to filter users by domain name
- Azure App Service Plan CPU Spikes to 100%
- Unable to Authenticate to DevOps API with Angual MSAL
- Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Linux Azure Webjob in nodejs referring to node.exe
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM
- How to enable virtualization in Azure VM
- Configuring AppSettings with ASP.Net Core on Azure Web App for Containers: Whither Colons?
- how to get v2 type token using msal python
- The mock in my pester test keeps calling Connect-AzAccount
- HttpResponseError in Azure Ai search