Using an AKS Engine cluster with Azure Active Directory integration

As you might already know you can run an Azure Kubernetes Service cluster with Azure Active Directory integration for fine-grained RBAC role definitions.

I have written a blog post about that awhile ago, if you need further information.

-> https://www.danielstechblog.io/azure-kubernetes-service-and-azure-active-directory-integration/

Same as with AKS you can have AKS Engine clusters with AAD integration as well.

-> https://github.com/azure/aks-engine

The prerequisites are the same and you must follow these steps to prepare the AAD for it.

-> https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli
-> https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration

Then add the following section to your AKS Engine template.

...
    "aadProfile": {
      "clientAppID": "REDACTED",
      "serverAppID": "REDACTED",
      "adminGroupID": "REDACTED",
      "tenantID": "REDACTED"
    },
...

-> https://github.com/neumanndaniel/kubernetes/blob/master/aks-engine/aksEngineAad.json

ClientAppID and ServerAppID are from the AAD applications created earlier to establish the authentication connection between AAD and the AKS Engine cluster. The tenant ID is from the AAD tenant and can be queried with the following command.

az account show | jq -r .tenantId

When you would like to pre-provision a ClusterRoleBinding with cluster-admin rights, provide the object ID of the respective AAD group in the field adminGroupID. Otherwise you must do it manually after the AKS Engine cluster is up and running.

Generate the ARM templates for the AKS Engine deployment with aks-engine generate and deploy the cluster with either aks-engine deploy or az group deployment create.

After the deployment is completed successfully, we login via SSH into the AKS Engine master to check the pre-provisioned ClusterRoleBinding of our AAD group called aad-default-admin-group.

azureuser@k8s-master-23109953-0:~$ kubectl get clusterrolebinding aad-default-admin-group -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2019-07-11T09:41:11Z"
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
    kubernetes.io/cluster-service: "true"
  name: aad-default-admin-group
  resourceVersion: "365"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/aad-default-admin-group
  uid: 01f3a648-1a14-4a7b-9ee8-fd8e2866e357
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: REDACTED

That is all for now. In the next blog post I talk about how to distribute the kubeconfig credentials file to the engineers and developers which require access to the AKS Engine cluster.

Facebooktwitterlinkedinmail