Last week Microsoft announced the GA of Azure Kubernetes Service. Since then we can integrate Azure Active Directory with Azure Kubernetes Service. When enabling Azure Active Directory integration, AKS requires that RBAC is also enabled.
A detailed configuration guide can be found in the Azure documentation.
Before you can make use of the AAD integration you need to create an RBAC binding for a specific AAD user or AAD group. An AKS cluster with AAD integration and RBAC enabled is locked down by default. So, this step is required to be taken before you can access the AKS cluster with an AAD user. First, you need get admin access via the following Azure CLI command.
az aks get-credentials --name azst-aks1 --resource-group aks --admin
Then you need to create the appropriate RBAC binding. Have a look at the following one, granting the AAD group AKS cluster-admin permissions.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: azst-aks-cluster-admins roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: AKS
Afterwards the AAD users of the AKS group need to get the kubeconfig file via the following Azure CLI command.
az aks get-credentials --name azst-aks1 --resource-group aks
The login can be initiated with every kubectl command you are running against the AKS cluster, e.g. kubectl get nodes.
Now enter your username and password. Additionally, you can secure your AAD users with multi-factor authentication to provide extra security here.
If the login is successfully verified, and you should see the output of the kubectl command.
I highly recommend using the AAD integration with AKS even it is currently in preview.