Azure Kubernetes Service and Azure Active Directory integration

Last week Microsoft announced the GA of Azure Kubernetes Service. Since then we can integrate Azure Active Directory with Azure Kubernetes Service. When enabling Azure Active Directory integration, AKS requires that RBAC is also enabled.

A detailed configuration guide can be found in the Azure documentation.

-> https://docs.microsoft.com/en-us/azure/aks/aad-integration

Before you can make use of the AAD integration you need to create an RBAC binding for a specific AAD user or AAD group. An AKS cluster with AAD integration and RBAC enabled is locked down by default. So, this step is required to be taken before you can access the AKS cluster with an AAD user. First, you need get admin access via the following Azure CLI command.

az aks get-credentials --name azst-aks1 --resource-group aks --admin

Then you need to create the appropriate RBAC binding. Have a look at the following one, granting the AAD group AKS cluster-admin permissions.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: azst-aks-cluster-admins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: AKS

Afterwards the AAD users of the AKS group need to get the kubeconfig file via the following Azure CLI command.

az aks get-credentials --name azst-aks1 --resource-group aks

The login can be initiated with every kubectl command you are running against the AKS cluster, e.g. kubectl get nodes.

k8sadd01k8sadd02

Now enter your username and password. Additionally, you can secure your AAD users with multi-factor authentication to provide extra security here.

k8sadd03k8sadd04

If the login is successfully verified, and you should see the output of the kubectl command.

k8sadd05k8sadd06

I highly recommend using the AAD integration with AKS even it is currently in preview.

Facebooktwittergoogle_pluslinkedinmail