k8s Azure RBAC integrated with AAD
Give user access
Find domain, Azure Active Directory, Overview -> Primary domain
export aad_domain="mydomain.onmicrosoft.com" # User UPN="<UserName>@${aad_domain}" # k8s details k8s_rg="" k8s_cluster="" k8s_id=$(az aks show --resource-group ${k8s_rg} --name ${k8s_cluster} --query id -o tsv)
create k8s role and binding
# Login as admin az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --admin # Possible error: Message: Getting static credential is not allowed because this cluster is set to disable local accounts. # try $ az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --public-fqdn kubectl create namespace dev
role-dev-namespace.yaml
echo '--- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dev-user-full-access namespace: dev rules: - apiGroups: ["", "extensions", "apps"] resources: ["*"] verbs: ["*"] - apiGroups: ["batch"] resources: - jobs - cronjobs verbs: ["*"] --- ' | kubectl apply -f -
get objectId
k8s_kind="Group" az_grp_name="dev" az_obj_id=$( az ad group show --group ${az_grp_name} --query id -o tsv ) az role assignment create \ --assignee ${az_obj_id} \ --role "Azure Kubernetes Service Cluster User Role" \ --scope $AKS_ID ## or k8s_kind="User" az_obj_id="<UserName>@${aad_domain}"
rolebinding-dev-namespace.yaml
echo "--- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dev-user-access namespace: dev roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: dev-user-full-access subjects: - kind: ${k8s_kind} namespace: dev name: ${az_obj_id} --- " | kubectl apply -f -
login with new credentials
az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --public-fqdn