k8s Azure RBAC integrated with AAD

Give user access

Find domain, Azure Active Directory, Overview -> Primary domain

export aad_domain="mydomain.onmicrosoft.com"
# User
UPN="<UserName>@${aad_domain}"
# k8s details
k8s_rg=""
k8s_cluster=""
k8s_id=$(az aks show --resource-group ${k8s_rg} --name ${k8s_cluster} --query id -o tsv)

create k8s role and binding

# Login as admin
az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --admin
# Possible error: Message: Getting static credential is not allowed because this cluster is set to disable local accounts.
#                 try $ az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --public-fqdn
kubectl create namespace dev

role-dev-namespace.yaml

echo '---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-user-full-access
  namespace: dev
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]
---
' | kubectl apply -f -

get objectId

k8s_kind="Group"
az_grp_name="dev"
az_obj_id=$( az ad group show --group ${az_grp_name} --query id -o tsv )
az role assignment create \
  --assignee ${az_obj_id} \
  --role "Azure Kubernetes Service Cluster User Role" \
  --scope $AKS_ID

## or
k8s_kind="User"
az_obj_id="<UserName>@${aad_domain}"

rolebinding-dev-namespace.yaml

echo "---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-user-access
  namespace: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-user-full-access
subjects:
- kind: ${k8s_kind}
  namespace: dev
  name: ${az_obj_id}
---
" | kubectl apply -f -

az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --public-fqdn