search

marianleica / azrez

Azure Resource Launcher (azrez) is a console application, created by @marianleica, that aims to support those looking for quick deployments in Azure VMs and Kubernetes for learning and swift repros.
https://github.com/marianleica/azrez
MIT License
1 stars 0 forks source link

AKS clusters have Kubernetes RBAC enabled #8

Closed marianleica closed 3 weeks ago

marianleica commented 3 weeks ago

The AKS user Azure creating the cluster doesn't have rights over the workloads

The azure-arc namespace status: command started at 2024-10-26 11:39:23+00:00, finished at 2024-10-26 11:39:26+00:00 with exitcode=1 Error from server (Forbidden): pods is forbidden: User "marianleica@lesformidables.club" cannot list resource "pods" in API group "" in the namespace "azure-arc": User does not have access to the resource in Azure. Update role assignment to allow access. Error from server (Forbidden): replicationcontrollers is forbidden: User "marianleica@lesformidables.club" cannot list resource "replicationcontrollers" in API group "" in the namespace "azure-arc": User does not have access to the resource in Azure. Update role assignment to allow access. Error from server (Forbidden): services is forbidden: User "marianleica@lesformidables.club" cannot list resource "services" in API group "" in the namespace "azure-arc": User does not have access to the resource in Azure. Update role assignment to allow access. Error from server (Forbidden): daemonsets.apps is forbidden: User "marianleica@lesformidables.club" cannot list resource "daemonsets" in API group "apps" in the namespace "azure-arc": User does not have access to the resource in Azure. Update role assignment to allow access. Error from server (Forbidden): deployments.apps is forbidden: User "marianleica@lesformidables.club" cannot list resource "deployments" in API group "apps" in the namespace "azure-arc": User does not have access to the resource in Azure. Update role assignment to allow access. Error from server (Forbidden): replicasets.apps is forbidden: User "marianleica@lesformidables.club" cannot list resource "replicasets" in API group "apps" in the namespace "azure-arc": User does not have access to the resource in Azure. Update role assignment to allow access. Error from server (Forbidden): statefulsets.apps is forbidden: User "marianleica@lesformidables.club" cannot list resource "statefulsets" in API group "apps" in the namespace "azure-arc": User does not have access to the resource in Azure. Update role assignment to allow access. Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "marianleica@lesformidables.club" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "azure-arc": User does not have access to the resource in Azure. Update role assignment to allow access. Error from server (Forbidden): cronjobs.batch is forbidden: User "marianleica@lesformidables.club" cannot list resource "cronjobs" in API group "batch" in the namespace "azure-arc": User does not have access to the resource in Azure. Update role assignment to allow access. Error from server (Forbidden): jobs.batch is forbidden: User "marianleica@lesformidables.club" cannot list resource "jobs" in API group "batch" in the namespace "azure-arc": User does not have access to the resource in Azure. Update role assignment to allow access.

marianleica commented 3 weeks ago

The AKS cluster already have RBAC enabled, though the script was using an ask command invoke to fetch the namespace. Removing it from the scripts as users can run kubectl and check for themselves once the script is finished.