k8s/AzureAKS/AdRbac

Setup

  1. List existing groups in the directory

    az ad group list --filter "displayname eq '<group-name>'" -o table
  2. If needed - Create an Azure AD group

    # Use Azure web portal console
    az ad group create --display-name myAKSAdminGroup --mail-nickname myAKSAdminGroup
  3. Create an k8s AKS-managed Azure AD cluster

    AZ_RG=<ResourceGroup>
    AZ_K8S_CLUSTER=<ClusterName>
    AZ_GRP_ADMIN_ID=<GrpObjID>
    az aks create -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} [--aad-tenant-id <id>]
    # or with local accounts disabled, only aad
    az aks create -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} --disable-local-accounts
    • For existing cluster enable with

      az aks update -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} [--aad-tenant-id <id>]
      # or with local accounts disabled
      az aks update -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} --disable-local-accounts
    • Re-enable local accounts with

      az aks update -g ${AZ_RG} -n ${AZ_K8S_CLUSTER} --enable-aad --aad-admin-group-object-ids ${AZ_GRP_ADMIN_ID} --enable-local
  4. Once cluster created retrieve kubectl credentials

    az aks get-credentials --resource-group ${AZ_RG} --name ${AZ_K8S_CLUSTER} --public-fqdn
    # for aad enabled - convert kubeconfig to use exec login10
    kubelogin convert-kubeconfig

Emergency k8s access is ADD integration broken

k8s login


CategoryK8sKubernetes CategoryK8sKubernetes

k8s/AzureAKS/AdRbac (last edited 2022-10-05 19:37:22 by PieterSmit)