英文:
Does Azure RBAC roles for AKS work as described in documentation?
问题
我正在尝试在现有的 AKS 集群上实施 Azure RBAC。我正在使用 Azure AD 身份验证和 Azure RBAC。根据文档,如果我使用内置角色,我理解在 Kubernetes 中不需要创建任何角色/角色绑定。这是否按预期工作?如果我将内置的 Azure AKS 角色添加到 AAD 组中,它会起作用吗?它应该限制对门户和通过 kubectl 的访问。
我尝试将 AKS RBAC 读取器角色添加到名为“Developers”的组中。然后我将我的用户添加到同一组中。我能够通过 kubectl 更改、查看、删除角色/角色绑定。根据文档,这不应该是可能的:https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac。我是否需要在 k8 中创建角色和角色绑定?
英文:
I am trying to implement Azure RBAC on an existing AKS cluster. I am using Azure AD authentication with Azure RBAC. I understand as per documentation that I do not need create any role/rol bindings in kubernetes, if I use built-in roles. Does this work as expected? If I add built in Azure AKS roles to AAD groups, it will work? It should limit access both in portal and via kubectl.
I tried adding AKS RBAC reader role to group called "Developers". Then I added my user to the same group. I am able to change,view, delete roles/rolebindings via kubectl. This should not be possible as per document: https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac. Do I need to create roles in k8, and role bindings?
答案1
得分: 0
这应该按照您所描述的方式正常工作。
您绝对确定在更高级别范围(例如,订阅范围的 AKS RBAC 集群管理员)中没有更广泛的 Aks Rbac 权限吗?
您是否无意中使用了 Kubernetes 本地管理员帐户进行身份验证(az aks get-credentials --admin)。
在更改 RBAC 角色后,您将需要重新验证与集群的身份。
英文:
It should work properly as you've described.
Are you absolutely sure you don't have wider Aks Rbac at a higher scope (eg. AKS RBAC Cluster admin at the subscription scope)?
Have you inadvertently used a kubernetes local admin account to authenticate with (az aks get-credentials --admin).
> You will need to reauthenticate with the cluster after changing RBAC roles.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论