Azure AKS: Full access to new RBAC cluster with get-credentials without admin

1
votes

If I create a brand-new AKS RBAC cluster from the Azure portal, in a resource group where I have Contributor role, and then run az aks get-credentials without admin flag, I am able to create and delete pods and namespaces, read cluster-wide secrets, and so on, using kubectl. This is without first logging in with --admin and creating any RBAC roles and bindings.

What is it that gives me these permissions? Based on discussions I found online, the non-admin version of get-credentials downloads kubeconfig settings for a cluster user role, which should allow me to login but not much else, out of the box.

2
azureazure-aksazure-rbac

2 Answers

0
votes

There's a bit of confusion here. So if you create a RBAC enabled cluster the az aks get-credentials will pull the admin config (so full access). You'd need to login creates roles\bindings\service accounts\users and generate kubeconfigs for other users so they will get exactly the permissions you want them to have.

If you, however, create a RBAC enabled cluster with AAD integration then the az aks get-credentials will pull credentials based on your AAD user and that will not work (pulling will work, accessing k8s will not) unless you configure appropriate roles\bindings inside k8s.

0
votes

We opened a support ticket and got an answer: Microsoft confirmed that this is a bug and something they're working on:

Having "Azure Kubernetes Service Cluster Admin Role" should not allow you to get-credentials with user profile. However, there is a bug where the client certificate we return in get-credentials --admin is same as get-credentials. It pretty much means clusterUser is as good as clusterAdmin.