Azure-docs: Limiting who can assume Admin

Created on 25 Jun 2018  ·  13Comments  ·  Source: MicrosoftDocs/azure-docs

What is the method that Microsoft is recommending, of limiting who can log into the cluster with the “—admin” flag? If my organization eventually rolls this out to more groups with access to Azure and AKS, we would like to limit who is able to log into the cluster as an admin. Currently, even with RBAC enabled, it seems that anyone is still able to just add a --admin flag to the get credentials command and assume admin (not good).

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

assigned-to-author container-servicsvc doc-enhancement in-progress triaged
Source
picture justinhauer
👍2

Most helpful comment

@jdogg89 - good question, please stand-by.

picture neilpeterson on 25 Jun 2018
👍3

All 13 comments

@jdogg89 - good question, please stand-by.

neilpeterson picture neilpeterson on 25 Jun 2018
👍3

I am still working on the exact steps, however it seems a custom Azure RBAC role can be created to limit access to the --admin based kubeconfig file.

We will get these steps published once fleshed out.

neilpeterson picture neilpeterson on 28 Jun 2018
🎉1

We are tracking in and internal system and will get the docs updated once resolved. I am closing this doc issue for the time being.

please-close

neilpeterson picture neilpeterson on 12 Jul 2018

@jdogg89 We will now proceed to close this thread. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.

SaurabhSharma-MSFT picture SaurabhSharma-MSFT on 12 Jul 2018

I'm hanging on this one. How can I get updated when it is resolved ?

jrhoward picture jrhoward on 13 Jul 2018

@jrhoward after some discussion with @iainfoulds, we want to keep this open until the technical resolution comes through.

@SaurabhSharma-MSFT / @MicahMcKittrick-MSFT can we open this back up - thanks.

neilpeterson picture neilpeterson on 14 Jul 2018
👍1

in-progress

neilpeterson picture neilpeterson on 21 Jul 2018

@jdogg89 We will now close this issue. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.

femsulu picture femsulu on 5 Aug 2018

@iainfoulds @neilpeterson @femsulu
Why was the issue closed?
What is the solution regarding this?

DmitriyDranenkoDevPro picture DmitriyDranenkoDevPro on 9 Aug 2018

What is the fix? Closed #12409 and #10754 without stating exact fix, assuming the fix is updating below document.
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

I was working on same issue, blocking "--admin" using "/managedClusters/listClusterAdminCredential/action" which does not work as expected, created #13517

praveendhac picture praveendhac on 16 Aug 2018
👍1

Is there a resolution to this issue......it seems a bit pointless going to the trouble of integrating AKS with Active Directory if we can't block users from issuing 

az aks get-credentials --admin
marty2bell picture marty2bell on 11 Feb 2019

Login to portal and browse to Subscriptions -> Accesscontrol(IAM) -> Roles. It was not properly communicated by Azure.

Azure Kubernetes Service Cluster User Role
Azure Kubernetes Service Cluster Admin Role
praveendhac picture praveendhac on 11 Feb 2019

Thanks @praveendhac, that makes sense now!

marty2bell picture marty2bell on 12 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jamesgallagher-ie picture jamesgallagher-ie  ·  3Comments
JeffLoo-ong picture JeffLoo-ong  ·  3Comments
jharbieh picture jharbieh  ·  3Comments
jebeld17 picture jebeld17  ·  3Comments
spottedmahn picture spottedmahn  ·  3Comments