Now, get the credentials as the read-only user.
This time, the "--admin" parameter is not passed:
az aks get-credentials --resource-group handsonaks-rbac --name handsonaks-rbac
Run the following command, just to test RBAC:
kubectl get all
You will be asked to log in:
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BRVBZLAHE to authenticate.
Log in using the readonly account username. When you log in the first time, you will be asked to change the password:
Once you have logged in successfully, you can close the window and you should see the following output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 14h
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "[email protected]" cannot list horizontalpodautoscalers.autoscaling in the namespace "default"
Error from server (Forbidden): jobs.batch is forbidden: User "[email protected]" cannot list jobs.batch in the namespace "default"
Error from server (Forbidden): cronjobs.batch is forbidden: User "[email protected]" cannot list cronjobs.batch in the namespace "default"
So we can see most of it except the pod autoscalers/batch jobs and cronjobs.
Let's see whether we actually have read-only access by trying to delete something, such as a pod:
kubectl delete pods/<pod name running in the namespace kube-system> -n kube-system
You will get a Forbidden message:
Error from server (Forbidden): pods "heapster-779db6bd48-nvhv9" is forbidden: User "[email protected]" cannot delete pods in the namespace "kube-system"
We have ensured that we have access only to the user we have given access.