Azure Lighthouse delegated subscription's resource AKS cluster access

Question

I have onboarded the customer using Azure Lighthouse and accessed all the Azure services (e.g. AKS cluster) of the delegated subscription but unable to access the cluster resources.

The problem is the AKS cluster has roles and role bindings for customer tenant users (not service provider's users). If I add the cluster roles and role bindings for Service Provider users, the cluster doesn't allow service provider users to authenticate (because it is not present in the customer tenant).

Is there any way I can add a service provider user in the delegated subscription's AKS cluster without adding them to the customer tenant?

Answer 1

I tried to reproduce the same issue in my environment and got the below results

Lighthouse supports only actions that the management plane of Azure. In this case if we are trying to give access to the data plane of the AKS resource which is not possible with Lighthouse as it does not support data plane operations, only management plane supports.

The only option is to add users from your tenant - they can be guest users or members. while accessing we should be the subscription user other wise it won't allow to create.

Please check the access while creating the customer provider after that we have to add the delegations for particular cluster

For accessing the Kubernetes service to delegated subscription please use the below commands

scope needs to be full "resource ID"

az role assignment create --assignee <appId> --scope <resource_scope> --role <Contributor>

RABC roles not classic roles and we cannot assign the roles with data actions

We can check in AKS cluster that where exact the data plane resources, for that only we can access.

Check here for where the exact roles are assigned for