= k8s/AzureAKS/AdRbac =
 * 2022 use Azure AD ad user source for Azure Kubernetes RBAC login

== Setup ==
 1. List existing groups in the directory {{{
az ad group list --filter "displayname eq '<group-name>'" -o table
}}}
 2. If needed -  Create an Azure AD group {{{
# Use Azure web portal console
az ad group create --display-name myAKSAdminGroup --mail-nickname myAKSAdminGroup
}}}
 3. Create an k8s AKS-managed Azure AD cluster {{{
AZ_RG=<ResourceGroup>
AZ_K8S_CLUSTER=<ClusterName>
AZ_GRP_ADMIN_ID=<GrpObjID>
az aks create -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} [--aad-tenant-id <id>]
# or with local accounts disabled, only aad
az aks create -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} --disable-local-accounts

}}}
   * For existing cluster enable with {{{
az aks update -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} [--aad-tenant-id <id>]
# or with local accounts disabled
az aks update -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} --disable-local-accounts
}}}
   * Re-enable local accounts with {{{
az aks update -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} --enable-local
}}}
 4. Once cluster created retrieve kubectl credentials {{{
az aks get-credentials --resource-group ${AZ_RG} --name ${AZ_K8S_CLUSTER} --public-fqdn
# for aad enabled - convert kubeconfig to use exec login10
kubelogin convert-kubeconfig

}}}

== Emergency k8s access is ADD integration broken ==
 * {{{
az aks update -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_K8S_CLUSTER} [--aad-tenant-id <id>]
}}}

== k8s login ==
 * GO tool kubelogin plugin for kubectl to do Azure AAD authentication
   * brew install Azure/kubelogin/kubelogin





----
CategoryK8sKubernetes CategoryK8sKubernetes