i would like to know if is possible to isolate namespace on Azure Kubernetes service. Now if i give rbac role to my colleague they can see all namespace, i would like to segregate namespace for department, e.g. data can see only data namespace, dev can see only den namespace etc..
is it possible?
Thanks
yes, You have to Enable AKS-managed Azure Active Directory
, Role-based access control (RBAC)
& Azure RBAC for Kubernetes Authorization. There are 2 options:
az aks create \
-g myResourceGroup \
-n myManagedCluster \
--enable-aad \
--enable-azure-rbac
1st Option:
---
apiVersion: v1
kind: Namespace
metadata:
name: data
labels:
kubernetes.io/metadata.name: data
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: data-view-access
namespace: data
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: Group
namespace: data
name: <GROUP_OBJECT_ID>
2nd Option is to use Azure Custom Roles as explained here and also with this example from user yk1 :
az role assignment create \
--role "Azure Kubernetes Service RBAC Reader" \
--assignee <AAD-ENTITY-ID> \
--scope $AKS_ID/namespaces/<namespace-name>
NOTE: All users must be member of Azure Kubernetes Service Cluster User Role
in order the execute az aks get-credentials