Can Azure AKS operate on Managed Identities without requiring a Contributor role?

Question

Our enterprise strictly disallows the use of Contributor and a handful of other extremely-powerful RBAC roles in Azure.

When I deploy AKS and pre-configure it to use two managed identities, which have been granted all RBAC actions documented per the AKS Service Permissions, the service still attempts to assign itself Contributor.

Can Azure Kubernetes Service function without Contributor, or is Contributor an undocumented and absolute requirement?

score 1 · Answer 1 · answered May 31 '23 at 13:28

1

There are 4 of the managed indentities that have contributor rights by default: https://learn.microsoft.com/en-us/azure/aks/use-managed-identity

These roles manage the cluster, as such they need contributor rights.

answered May 31 '23 at 13:28

Shiraz Bhaiji

64,065
34
143
252

interesting -- the control plane and kubelet mention "Bring your own identity", and https://learn.microsoft.com/en-us/azure/aks/concepts-identity#identity-creating-and-operating-the-cluster-permissions lists specific RBAC actions. In practice we're finding it still self-escalates one of those identities to Contributor – STW Jun 01 '23 at 00:47

Can Azure AKS operate on Managed Identities without requiring a Contributor role?

1 Answers1