title | description | ms.date | ms.reviewer | ms.service | ms.custom |
---|---|---|---|---|---|
User can't get cluster resources |
Troubleshoot issues that are caused when a user can't list a resource within an API group in an Azure Kubernetes Service (AKS) cluster. |
03/07/2024 |
rissing chiragpa, v-leedennis |
azure-kubernetes-service |
sap:Connectivity |
This article describes how to fix issues that occur when you can't get the details of a resource in an Azure Kubernetes Service (AKS) cluster.
- The Kubernetes cluster command-line tool (kubectl).
Note
If you use Azure Cloud Shell to run shell commands, kubectl is already installed. If you use a local shell and already have Azure CLI installed, you can alternatively install kubectl by running the az aks install-cli command.
If you run kubectl to get the details of an AKS cluster node, you might see the following error message:
$ kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "aaaa11111-11aa-aa11-a1a1-111111aaaaa" cannot list resource "nodes" in API group "" at the cluster scope
When you enable role-based access control (RBAC) for your AKS cluster, you control the permissions for a User through Role and RoleBinding (or ClusterRole and ClusterRoleBinding) settings. If a User hasn't defined the correct permissions, the User sees errors when it tries to get the details of a resource in the cluster.
Make sure you set the correct Role and RoleBinding for the User. For detailed examples, see Use Kubernetes RBAC with Microsoft Entra integration.
If AKS manages integration with Microsoft Entra ID, the user might not have the correct assignment for the security group.
Make sure the security group's administrator has given your account an Active or Conditional Access assignment. See AKS-managed Microsoft Entra integration. This article has instructions for setting either Active assignment or Conditional Access assignment.
[!INCLUDE Azure Help Support]