Azure RBAC在AKS中的角色是否按照文档中描述的工作?

huangapple go评论60阅读模式
英文:

Does Azure RBAC roles for AKS work as described in documentation?

问题

我正在尝试在现有的 AKS 集群上实施 Azure RBAC。我正在使用 Azure AD 身份验证和 Azure RBAC。根据文档,如果我使用内置角色,我理解在 Kubernetes 中不需要创建任何角色/角色绑定。这是否按预期工作?如果我将内置的 Azure AKS 角色添加到 AAD 组中,它会起作用吗?它应该限制对门户和通过 kubectl 的访问。

我尝试将 AKS RBAC 读取器角色添加到名为“Developers”的组中。然后我将我的用户添加到同一组中。我能够通过 kubectl 更改、查看、删除角色/角色绑定。根据文档,这不应该是可能的:https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac。我是否需要在 k8 中创建角色和角色绑定?

英文:

I am trying to implement Azure RBAC on an existing AKS cluster. I am using Azure AD authentication with Azure RBAC. I understand as per documentation that I do not need create any role/rol bindings in kubernetes, if I use built-in roles. Does this work as expected? If I add built in Azure AKS roles to AAD groups, it will work? It should limit access both in portal and via kubectl.

I tried adding AKS RBAC reader role to group called "Developers". Then I added my user to the same group. I am able to change,view, delete roles/rolebindings via kubectl. This should not be possible as per document: https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac. Do I need to create roles in k8, and role bindings?

答案1

得分: 0

这应该按照您所描述的方式正常工作。

您绝对确定在更高级别范围(例如,订阅范围的 AKS RBAC 集群管理员)中没有更广泛的 Aks Rbac 权限吗?

您是否无意中使用了 Kubernetes 本地管理员帐户进行身份验证(az aks get-credentials --admin)。

在更改 RBAC 角色后,您将需要重新验证与集群的身份。

英文:

It should work properly as you've described.

Are you absolutely sure you don't have wider Aks Rbac at a higher scope (eg. AKS RBAC Cluster admin at the subscription scope)?

Have you inadvertently used a kubernetes local admin account to authenticate with (az aks get-credentials --admin).

> You will need to reauthenticate with the cluster after changing RBAC roles.

huangapple
  • 本文由 发表于 2023年5月22日 20:32:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/76306240.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定