When accessing an Arc enabled Kubernetes cluster resources one of the options to access the cluster is by using a Bearer token.
Using the token can be tedious if you are using the portal interface often. Using RBAC roles to provide the access for a user or group seems much more user friendly.
Access Kubernetes resources from Azure portal – Azure Arc | Microsoft Learn
To use an Azure RBAC role complete the following steps.
On the Arc Kubernetes machine run this command to add the binding to the user or role.
- If you did the configuration before using the clusterrolebinding with demo-user-binding, you will need to delete it first, otherwise this step can be skipped.
kubectl delete clusterrolebinding demo-user-binding
- For configuring just one user you use the AAD user “name” vs Object ID.
kubectl create clusterrolebinding demo-user-binding --clusterrole cluster-admin --user=[email protected]
- For a group of users create the Microsoft Entra ID group. Add the users that require access.
- Add the new group to the Role of Azure Arc Kubernetes Viewer role.
Use the Object ID for the group vs. the name of the group.
kubectl create clusterrolebinding demo-user-binding --clusterrole cluster-admin --group=AAD_GROUP_OBJECT_ID
Once this command is completed and the group has the RBAC role set the user will not be prompted for a bearer token when accessing the Kubernetes resources.
