4

I have created Azure Kubernetes Cluster, However RBAC and AKS-managed Azure Active Directory are disabled, i want to enable both, but unable to do so

Environment : Azure AKS Cluster v1.19.11

enter image description here

I have tried command to enable rbac & aad

$  az aks update -g  k8s-azwe-rg-01 -n k8s-azwe-aks-01 --enable-azure-rbac
Cannot specify "--enable-azure-rbac" if managed AAD is not enabled

$ az aks update -g k8s-azwe-rg-01 -n k8s-azwe-aks-01 --enable-aad --aad-admin-group-object-ids 4b-58-0c-7a --aad-tenant-id e-ece23-19d66-9d4
(RBACNotEnabledForAAD) RBAC must be enabled for AAD to be enabled.


$  az aks update -g  k8s-azwe-rg-01 -n k8s-azwe-aks-01 --enable-aad --enable-azure-rbac
(RBACNotEnabledForAAD) RBAC must be enabled for AAD to be enabled.
Code: RBACNotEnabledForAAD
Message: RBAC must be enabled for AAD to be enabled.
Satyam Pandey
  • 593
  • 2
  • 10
  • 32
  • mhh thats rlly its stange, i can not reproduce your issue. What version of azure-cli you have installed? You need at least 2.29.0. For me it is 2.33.0 and this worked = az aks create -g MyResourceGroup -n MyCluster --kubernetes-version 1.19.11 & az aks update -g MyResourceGroup -n MyCluster --enable-azure-rbac --enable-aad – Philip Welz Feb 09 '22 at 14:36
  • @PhilipWelz$ az version { "azure-cli": "2.31.0", "azure-cli-core": "2.31.0", "azure-cli-telemetry": "1.0.6", "extensions": {} } – Satyam Pandey Feb 09 '22 at 14:42

2 Answers2

3

RBAC can only be enabled during cluster creation, you cannot enable it after the aks cluster is formed.

zposloncec
  • 426
  • 5
  • 6
  • Yes, it led to recreation of the cluster – Satyam Pandey Feb 27 '22 at 02:56
  • The docs are really confusing here. I'm trying to enable Azure RBAC on an existing cluster (already enabled aad upon creation): https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac#integrate-azure-rbac-into-an-existing-cluster But running `az aks update -n ClusterName -g GroupName --enable-azure-rbac` just shows that this is not possible currently using az-cli (using 2.37). Is the docs then wrong, clearly stating that this is possible? – Hulvej Jun 02 '22 at 07:40
  • Scratch the above.. Needed to update the aks-preview extension to az-cli as well. `az extension update --name aks-preview` – Hulvej Jun 02 '22 at 07:52
-1

In case anyone is still looking, it is now possible to enable RBAC to an existing cluster.

https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac#integrate-azure-rbac-into-an-existing-cluster

Ricky Gummadi
  • 4,559
  • 2
  • 41
  • 67
  • 1
    Unfortunately that is only partly true. For the situation that @Satyam Pandey is explaining, it is still not possible. When you do `--enable-azure-rbac` you are told `Cannot specify "--enable-azure-rbac" if managed AAD is not enable`. But when you do `--enable-aad` you are told `RBAC must be enabled for AAD to be enabled.`. It's Catch 22! – Martin D Jan 20 '23 at 09:31