This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 61%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)
Hi Team,
I have an AKS Cluster with namespace "sample", in which I have deployed just a nginx pod. I have a requirement to list the pods running in the namespace to perform a health check from the VM. My AKS cluster is created with "Microsoft Entra ID Authentication with Azure RBAC". I gave the VM's user assigned identity the maximum permission of "AKS Cluster Admin Role" and "AKS RBAC Admin role". However when I try to use the Kubernetes REST API to list the pods I am getting the following error:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
Step1: I tried to retrieve token of the user assigned managed identity using the following command
TOKEN=$(az account get-access-token --resource=https://management.azure.com/ --query accessToken -o tsv)
Step2: I gave the below command to list the pods which is giving me the 401 error.
curl -k -X GET https://$APISERVER/api/v1/namespaces/sample/pods -H "Authorization: Bearer $TOKEN"
Also, I have created the ClusterRoleBinding with cluster role "cluster-admin" to the object id of the User assigned managed identity of VM. (tried with Client id as well).
Please advise what I am missing with this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 43%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Please reference this link - https://github.com/kubernetes-client/python
Even executing this example code returns same error. As per some of the documentation found over the internet/chatgpt it reveals that additional AADProfile need to be added to AKS to allow managed identity to access AKS APIs.
Moreover, the Kubernetes APIs references the Kubernetes API-server - https://kubernetes.io/docs/reference/using-api/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 79%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3END%3C/text%3E%3C/svg%3E)
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
We do not have a direct REST API to list the pods in the AKS cluster. You can use the command kubectl get pods to get the list of pods in the AKS cluster.
I would recommend you refer to this- https://learn.microsoft.com/en-us/answers/questions/2122637/can-anyone-provide-api-documentation-or-guidance-o
If you have any further queries, do let us know.
Did you get a chance to review the solution provided above? If you have any further queries, please let us know.
Following up to see if the above answer was helpful. If this answers your query, do click 'Accept Answer' and 'Upvote' for was this answer helpful. And, if you have any further query do let us know.