have an AKS cluster configured with enableAzureRBAC=true
I am trying to install the ingress-nginx Helm chart through Flux
It throws the error
reconciliation failed: failed to get last release revision: query: failed to query with labels: secrets is forbidden: User "system:serviceaccount:default:flux-applier" cannot list resource "secrets" in API group "" in the namespace "default": Azure does not have opinion for this user.
I can see that flux sets up a clusterrolebinding to make the flux-applier a cluster admin, which I have verified is in place
The Azure docs on Azure RBAC for AKS clearly state:
If the identity making the request exists in Azure AD, Azure will team with Kubernetes RBAC to authorize the request. If the identity exists outside of Azure AD (i.e., a Kubernetes service account), authorization will defer to the normal Kubernetes RBAC.
have an AKS cluster configured with enableAzureRBAC=true
I am trying to install the ingress-nginx Helm chart through Flux
It throws the error
reconciliation failed: failed to get last release revision: query: failed to query with labels: secrets is forbidden: User "system:serviceaccount:default:flux-applier" cannot list resource "secrets" in API group "" in the namespace "default": Azure does not have opinion for this user.I can see that flux sets up a clusterrolebinding to make the flux-applier a cluster admin, which I have verified is in place
So I assume my issue is that Azure doesn't recognize this ServiceAccount and it isn't falling back to built in roles?
https://github.com/kubeguard/guard/blob/master/authz/providers/azure/rbac/checkaccessreqhelper.go
The Azure docs on Azure RBAC for AKS clearly state:
If the identity making the request exists in Azure AD, Azure will team with Kubernetes RBAC to authorize the request. If the identity exists outside of Azure AD (i.e., a Kubernetes service account), authorization will defer to the normal Kubernetes RBAC.
https://learn.microsoft.com/en-us/azure/aks/concepts-identity
But this doesn't seem to be true?