I have deployed a AKS cluster using Entra ID for authentication and Kubernetes RBAC for authorization.
When deploying I have specified a admins group for use with aks as an admin group:
azure_active_directory_role_based_access_control {
managed = true
tenant_id = var.tenant_id
admin_group_object_ids = var.aks_admin_group_object_ids
azure_rbac_enabled = false
}
I want a different group named users to have access to kubernetes but only to a specific namespace.
By default I can see that the cluster creates the following ClusterRoleBindings:
- system:basic-user
- system-discovery
- system:public-info-viewer
They give various permissions to authenticated users to specific resources. This means that by default, authenticated users can list most resources in aks.
I have created my own ClusterRole and ClusterRoleBinding that target the users group, but these work in an additive fashion.
I have also determined that any changes to these built-in ClusterRoleBindings is being rolled back after a few seconds.
So my question is this: Considering the liberal defaults of AKS, how can I restrict specific Entra Id groups to specific namespaces?
