search

Azure / AKS

Azure Kubernetes Service
https://azure.github.io/AKS/
1.93k stars 293 forks source link

[Feature] Add built-in role Azure Kubernetes Service RBAC Cluster Reader #4387

Open CezaryKlus opened 3 days ago

CezaryKlus commented 3 days ago

Is your feature request related to a problem? Please describe. When using Terraform Kubernetes provider our CD process needs to read cluster configuration with minimal required rights. We observed failures on the Terraform plan when trying to read prorityClass resources as these are cluster scoped. Currently, there is no cluster-wide reader built-in role defined.

Describe the solution you'd like It may be beneficial to add the Azure Kubernetes Service RBAC Cluster Reader role with such permissions (it may be improved by excluding secrets):

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read all resources in the cluster.",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Cluster Reader",
}

Describe alternatives you've considered Create such a custom role definition manually.

PixelRobots commented 3 days ago

Hi. Does this RBAC role do what you need?

https://www.azadvertizer.net/azrolesadvertizer/7f6c6a51-bcf8-42ba-9220-52d62157d7db.html