Azure-docs: RBAC issues since upgrade

Thanks for the feedback! We are currently investigating and will update you shortly.

@richyla Have you created cluster role binding?
As per this doc, if your AKS cluster uses RBAC, a ClusterRoleBinding must be created before you can correctly access the dashboard. To create a binding, use the kubectl create clusterrolebinding command as shown in the following example:
kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard
Also, check out the following links:
https://github.com/kubernetes/dashboard/wiki/Access-control#admin-privileges
https://github.com/Azure/acs-engine/issues/3130#issuecomment-415928684

Let me know if it is not what you are looking for.

@richyla Any update?

Hi, sorry missed your response. Yes if i create an RBAC binding for the "kubernetes-dashboard" service account it works perfectly. However I don't want to configure it in this way as I don't want all users to be able to access the dashboard with the same privileges. Previously I had created additional service accounts, admin, reader etc, created appropriate bindings and used the service account secret token to login to the dashboard.

This worked perfectly until I upgraded cluster to 1.11.5, now it doesn't seem to work. The login with the service account token works but the permissions errors relating to the "kubernetes-dashboard" service account are shown. I have also tried using my token for my Azure AD account to login to the dashboard and again the permissions errors for kubernetes-dashboard" service account are shown.

@richyla Thanks for sharing the details. Can you please confirm that you are seeing the same issue as https://github.com/MicrosoftDocs/azure-docs/issues/23789
https://github.com/MicrosoftDocs/azure-docs/issues/14983#issuecomment-458969675
CC: @iainfoulds

Yes sounds like the same issue. Neither Azure AD user token or Kubernetes service account token can access dashboard with correct permissions as per their cluster role binding. The only way to remove warnings is to create binding for the default kubernetes-dashboard svc account.

Hi, sorry missed your response. Yes if i create an RBAC binding for the "kubernetes-dashboard" service account it works perfectly. However I don't want to configure it in this way as I don't want all users to be able to access the dashboard with the same privileges. Previously I had created additional service accounts, admin, reader etc, created appropriate bindings and used the service account secret token to login to the dashboard.

This worked perfectly until I upgraded cluster to 1.11.5, now it doesn't seem to work. The login with the service account token works but the permissions errors relating to the "kubernetes-dashboard" service account are shown. I have also tried using my token for my Azure AD account to login to the dashboard and again the permissions errors for kubernetes-dashboard" service account are shown.

I exactly need the same thing working

Thanks @Sudharma @richyla for sharing the details. Since the same issue is open here #23789, I will close this issue. Further updates on this issue will be shared here: #23789