k8s/AzureAKS/AdRbac

• 2022 use Azure AD ad user source for Azure Kubernetes RBAC login

Setup

1. List existing groups in the directory

   az ad group list --filter "displayname eq '<group-name>'" -o table

2. If needed - Create an Azure AD group

   # Use Azure web portal console
   az ad group create --display-name myAKSAdminGroup --mail-nickname myAKSAdminGroup

3. Create an k8s AKS-managed Azure AD cluster

   AZ_RG=<ResourceGroup>
   AZ_K8S_CLUSTER=<ClusterName>
   AZ_GRP_ADMIN_ID=<GrpObjID>
   az aks create -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} [--aad-tenant-id <id>]
   # or with local accounts disabled, only aad
   az aks create -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} --disable-local-accounts

   • For existing cluster enable with

     az aks update -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} [--aad-tenant-id <id>]
     # or with local accounts disabled
     az aks update -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} --disable-local-accounts

   • Re-enable local accounts with

     az aks update -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} --enable-local

4. Once cluster created retrieve kubectl credentials

   az aks get-credentials --resource-group ${AZ_RG} --name ${AZ_K8S_CLUSTER} --public-fqdn
   # for aad enabled - convert kubeconfig to use exec login10
   kubelogin convert-kubeconfig

Emergency k8s access is ADD integration broken

• az aks update -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_K8S_CLUSTER} [--aad-tenant-id <id>]

k8s login

• GO tool kubelogin plugin for kubectl to do Azure AAD authentication
  • brew install Azure/kubelogin/kubelogin

CategoryK8sKubernetes CategoryK8sKubernetes