= k8s Azure RBAC integrated with AAD = * https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac * https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac?tabs=portal == Give user access == * Find domain, Azure Active Directory, Overview -> Primary domain {{{ export aad_domain="mydomain.onmicrosoft.com" # User UPN="@${aad_domain}" # k8s details k8s_rg="" k8s_cluster="" k8s_id=$(az aks show --resource-group ${k8s_rg} --name ${k8s_cluster} --query id -o tsv) }}} * create k8s role and binding {{{ # Login as admin az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --admin # Possible error: Message: Getting static credential is not allowed because this cluster is set to disable local accounts. # try $ az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --public-fqdn kubectl create namespace dev }}} * role-dev-namespace.yaml {{{ echo '--- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dev-user-full-access namespace: dev rules: - apiGroups: ["", "extensions", "apps"] resources: ["*"] verbs: ["*"] - apiGroups: ["batch"] resources: - jobs - cronjobs verbs: ["*"] --- ' | kubectl apply -f - }}} * get objectId {{{ k8s_kind="Group" az_grp_name="dev" az_obj_id=$( az ad group show --group ${az_grp_name} --query id -o tsv ) az role assignment create \ --assignee ${az_obj_id} \ --role "Azure Kubernetes Service Cluster User Role" \ --scope $AKS_ID ## or k8s_kind="User" az_obj_id="@${aad_domain}" }}} * rolebinding-dev-namespace.yaml {{{ echo "--- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dev-user-access namespace: dev roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: dev-user-full-access subjects: - kind: ${k8s_kind} namespace: dev name: ${az_obj_id} --- " | kubectl apply -f - }}} * login with new credentials {{{ az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --public-fqdn }}}