Published on

Grant Namespace-Level Access in AKS Using Azure RBAC

Authors
  • avatar
    Name
    Alexander Arana Escobedo
    Twitter

Intro

Azure Kubernetes Service (AKS) supports Azure role-based access control (RBAC) as a way to manage Kubernetes authorization, tightly integrated with Azure Active Directory (Azure AD).

This lets you define who can access what inside your AKS cluster using familiar Azure tools — and without managing separate Kubernetes users or roles manually.

In this post, I’ll show you how to assign namespace-scoped access to Azure AD groups using built-in Azure RBAC roles. This is especially useful when you want to isolate environments or teams inside a shared AKS cluster.

Why Use Azure RBAC for Kubernetes Authorization?

Using Azure RBAC with Kubernetes brings several advantages:

  • Centralized access control via Azure AD
  • No need to manage Kubernetes RoleBindings or ClusterRoles manually
  • Supports scoped access — down to the namespace level
  • Great for multi-tenant AKS clusters

For example, a developer team can be granted admin access to only the dev or test namespace and nothing else.

If access to the prod namespace is needed, you can enable Azure AD Privileged Identity Management (PIM) for the AD group, so developers must explicitly request and activate access before performing actions in production

Script: Assign Namespace-Scoped Roles to an Azure AD Group

Here’s a PowerShell script that grants the necessary roles for namespace-scoped access using Azure’s built-in RBAC roles:

  • Reader and Cluster User Role – required to authenticate and discover namespaces
  • Namespace Admin – grants full access to a specific namespace
Param(
    [Parameter(Mandatory = $true)]
    [String]
    $adGroupName,

    [Parameter(Mandatory = $true)]
    [ValidateSet("test")]
    [String]
    $environment,
    
    [Parameter(Mandatory = $true)]
    [String]
    $namespaceName
)

$clusterName = "aks-cluster-$environment-we-01"
$resourceGroupName = "<RESOURCE_GROUP_NAME>"
$subscriptionName = "<SUBSCRIPTION_NAME>"

$clusterReadRole = "Azure Kubernetes Service RBAC Reader"
$clusterUserRole = "Azure Kubernetes Service Cluster User Role"
$nameSpaceAdminRole = "Azure Kubernetes Service RBAC Admin"

az login
az account set --subscription $subscriptionName

$AKS_ID = az aks show -g $resourceGroupName -n $clusterName --query id -o tsv
$OBJECT_ID = (az ad group show --group $adGroupName | ConvertFrom-Json).id

"[*] Add permission $clusterReadRole for $adGroupName on cluster level"
az role assignment create --role $clusterReadRole --assignee $OBJECT_ID --scope $AKS_ID

"[*] Add permission $clusterUserRole for $adGroupName on cluster level"
az role assignment create --role $clusterUserRole --assignee $OBJECT_ID --scope $AKS_ID

"[*] Add permission $nameSpaceAdminRole for $($adGroupName) on namespace $($namespaceName)"
az role assignment create --role $nameSpaceAdminRole --assignee $OBJECT_ID --scope "$AKS_ID/namespaces/$($namespaceName)"

💡 Tips for Managing RBAC Assignments

View current role assignments:

az role assignment list --all --assignee <object-id>

Remove a role assignment:

az role assignment delete --assignee <object-id> --role "<role-name>" --scope <scope>

References

Use Azure role-based access control for Kubernetes Authorization

I hope this post helps you better manage access in your AKS environments! If you have any questions, don’t hesitate to reach out! 🙏

Alexander Arana.E

Discuss on X