As you might already know you can run an Azure Kubernetes Service cluster with Azure Active Directory integration for fine-grained RBAC role definitions.
I have written a blog post about that awhile ago, if you need further information.
-> https://www.danielstechblog.io/azure-kubernetes-service-and-azure-active-directory-integration/
Same as with AKS you can have AKS Engine clusters with AAD integration as well.
-> https://github.com/azure/aks-engine
The prerequisites are the same and you must follow these steps to prepare the AAD for it.
-> https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli
-> https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration
Then add the following section to your AKS Engine template.
... "aadProfile": { "clientAppID": "REDACTED", "serverAppID": "REDACTED", "adminGroupID": "REDACTED", "tenantID": "REDACTED" }, ...
-> https://github.com/neumanndaniel/kubernetes/blob/master/aks-engine/aksEngineAad.json
ClientAppID and ServerAppID are from the AAD applications created earlier to establish the authentication connection between AAD and the AKS Engine cluster. The tenant ID is from the AAD tenant and can be queried with the following command.
az account show | jq -r .tenantId
When you would like to pre-provision a ClusterRoleBinding with cluster-admin rights, provide the object ID of the respective AAD group in the field adminGroupID. Otherwise you must do it manually after the AKS Engine cluster is up and running.
Generate the ARM templates for the AKS Engine deployment with aks-engine generate
and deploy the cluster with either aks-engine deploy
or az group deployment create
.
After the deployment is completed successfully, we login via SSH into the AKS Engine master to check the pre-provisioned ClusterRoleBinding of our AAD group called aad-default-admin-group.
azureuser@k8s-master-23109953-0:~$ kubectl get clusterrolebinding aad-default-admin-group -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: "2019-07-11T09:41:11Z" labels: addonmanager.kubernetes.io/mode: EnsureExists kubernetes.io/cluster-service: "true" name: aad-default-admin-group resourceVersion: "365" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/aad-default-admin-group uid: 01f3a648-1a14-4a7b-9ee8-fd8e2866e357 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: REDACTED
That is all for now. In the next blog post I talk about how to distribute the kubeconfig credentials file to the engineers and developers which require access to the AKS Engine cluster.