Merge pull request #247317 from JnHs/jh-arck8-portalacc

Add role info in prereqs + general review

Author: v-regandowner

articles/azure-arc/kubernetes/kubernetes-resource-view.md

@@ -1,6 +1,6 @@
 ---
 title: Access Kubernetes resources from Azure portal
-ms.date: 07/22/2022
+ms.date: 08/07/2023
 ms.topic: how-to
 description: Learn how to interact with Kubernetes resources to manage an Azure Arc-enabled Kubernetes cluster from the Azure portal.
 ---
@@ -13,7 +13,21 @@ The Azure portal includes a Kubernetes resource view for easy access to the Kube
 
 - An existing Kubernetes cluster [connected](quickstart-connect-cluster.md) to Azure as an Azure Arc-enabled Kubernetes resource.
 
-- [Service account token](cluster-connect.md#service-account-token-authentication-option) for authentication to the cluster.
+- An account that can authenticate to the cluster and access the resources in the portal:
+
+  - If using [Azure RBAC](azure-rbac.md), ensure that the Azure Active Directory (Azure AD) account that will access the portal has a role that lets it authenticate to the cluster, such as [Azure Arc Kubernetes Viewer](/azure/role-based-access-control/built-in-roles):
+
+   ```azurecli
+   az role assignment create --role "Azure Arc Kubernetes Viewer" --assignee $AAD_ENTITY_OBJECT_ID --scope $ARM_ID_CLUSTER
+   ```
+
+  - If using [cluster connect with service account token authentication](cluster-connect.md#service-account-token-authentication-option), ensure that the account uses a Kubernetes cluster role that can authenticate to the cluster, such as `cluster-admin`:
+  
+   ```console
+   kubectl create clusterrolebinding demo-user-binding --clusterrole cluster-admin --user=$AAD_ENTITY_OBJECT_ID`
+   ```
+
+   The same account must have an Azure role such as [Azure Arc Kubernetes Viewer](/azure/role-based-access-control/built-in-roles) in order to authenticate to the Azure portal and view Arc-enabled cluster resources.
 
 ## View Kubernetes resources
 
@@ -25,19 +39,20 @@ To see the Kubernetes resources, navigate to your cluster in the Azure portal. T
 - **Storage** shows your Azure storage classes and persistent volume information.
 - **Configuration** shows your cluster's config maps and secrets.
 
-[ ![Kubernetes workloads information displayed in the Azure portal](media/kubernetes-resource-view/workloads.png) ](media/kubernetes-resource-view/workloads.png#lightbox)
+:::image type="content" source="media/kubernetes-resource-view/workloads.png" alt-text="Screenshot of Kubernetes workloads information in the Azure portal." lightbox="media/kubernetes-resource-view/workloads.png":::
 
 ## Edit YAML
 
 The Kubernetes resource view also includes a YAML editor. A built-in YAML editor means you can update Kubernetes objects from within the portal and apply changes immediately.
 
-After you edit the YAML, select **Review + save**, confirm the changes, and then save again.
+>[!WARNING]
+> The Azure portal Kubernetes management capabilities and the YAML editor are built for learning and flighting new deployments in a development and test setting. Performing direct production changes by editing the YAML is not recommended. For production environments, consider using [GitOps to apply configurations](tutorial-use-gitops-flux2.md).
 
-[ ![YAML editor for Kubernetes objects displayed in the Azure portal](media/kubernetes-resource-view/yaml-editor.png) ](media/kubernetes-resource-view/yaml-editor.png#lightbox)
+After you edit the YAML, select **Review + save**, confirm the changes, and then save again.
 
->[!WARNING]
-> The Azure portal Kubernetes management capabilities and the YAML editor are built for learning and flighting new deployments in a development and testing setting. Performing direct production changes via UI or CLI is not recommended. For production environments, consider using [Configurations (GitOps)](tutorial-use-gitops-flux2.md).
+:::image type="content" source="media/kubernetes-resource-view/yaml-editor.png" alt-text="Screenshot showing the YAML editor for Kubernetes objects displayed in the Azure portal." lightbox="media/kubernetes-resource-view/yaml-editor.png":::
 
 ## Next steps
 
-Azure Monitor for containers provides more in-depth information about nodes and containers of the cluster when compared to the Kubernetes resource view described in this article. Learn how to [deploy Azure Monitor for containers](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json) on your cluster.
+- Learn how to [deploy Azure Monitor for containers](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json) for more in-depth information about nodes and containers on your clusters.
+- Learn about [identity and access options for Azure Arc-enabled Kubernetes](identity-access-overview.md).

articles/azure-arc/kubernetes/media/kubernetes-resource-view/workloads.png

@@ -97,7 +97,8 @@
     href: agent-upgrade.md
   - name: Use Private Link Scope
     href: private-link.md
-  - name: Azure portal Kubernetes resource view
+  - name: View resources in Azure portal
+    displayName: kubernetes, yaml, workload
     href: kubernetes-resource-view.md
   - name: Deploy applications consistently
     displayName: GitOps, flux, configuration, policy