AKS can be configured to use Azure AD for Authentication which we have seen in our previous section
In addition, we can also configure Kubernetes role-based access control (RBAC) to limit access to cluster resources based a user's identity or group membership.
Understand about Kubernetes RBAC Cluster Role & Cluster Role Binding
Azure Kubernetes Service with Azure DevOps and Terraform¶
Step-02: Create AD Group, Role Assignment and User¶
# Get Azure AKS Cluster Id
AKS_CLUSTER_ID=$(az aks show --resource-group aks-rg3 --name aksdemo3 --query id -o tsv)
echo $AKS_CLUSTER_ID
# Create Azure AD Group
AKS_READONLY_GROUP_ID=$(az ad group create --display-name aksreadonly --mail-nickname aksreadonly --query objectId -o tsv)
echo $AKS_READONLY_GROUP_ID
# Create Role Assignment
az role assignment create \
--assignee $AKS_READONLY_GROUP_ID \
--role "Azure Kubernetes Service Cluster User Role" \
--scope $AKS_CLUSTER_ID
# Create AKS ReadOnly User in Azure AD
AKS_READONLY_USER_OBJECT_ID=$(az ad user create \
--display-name "AKS READ1" \
--user-principal-name aksread1@stacksimplifygmail.onmicrosoft.com \
--password @AKSDemo123 \
--query objectId -o tsv)
echo $AKS_READONLY_USER_OBJECT_ID
# Associate aksread1 User to aksreadonly Group in Azure AD
az ad group member add --group aksreadonly --member-id $AKS_READONLY_USER_OBJECT_ID
Step-03: Test aksreadonly User Authentication to Portal¶
# As AKS Cluster Admin (--admin)
az aks get-credentials --resource-group aks-rg3 --name aksdemo3 --admin
# Create Kubernetes Role and Role Binding
kubectl apply -f kube-manifests/
# Verify ClusterRole & ClusterRoleBinding
kubectl get clusterrole
kubectl get clusterrolebinding
# Overwrite kubectl credentials
az aks get-credentials --resource-group aks-rg3 --name aksdemo3 --overwrite-existing
# List Pods
kubectl get pods --all-namespaces
- URL: https://microsoft.com/devicelogin
- Code: GCHL8J45R (Sample)(View on terminal)
- Username: aksread1@stacksimplifygmail.onmicrosoft.com
- Password: @AKSDemo123
# List Nodes
kubectl get nodes
Step-07: Create any resource on k8s and observe message¶
Create a namespace and see what happems
We should see forbidder error as this user (aksread1) has only read access to cluster. This use cannot create k8s resources
# Create Namespaces dev and qa
kubectl create namespace dev
kubectl create namespace qa
# Error Message
Kalyans-Mac-mini:21-04-Kubernetes-RBAC-ClusterRole-ClusterRoleBinding kalyanreddy$ kubectl create namespace dev
Error from server (Forbidden): namespaces is forbidden: User "aksread1@stacksimplifygmail.onmicrosoft.com" cannot create resource "namespaces" in API group "" at the cluster scope
Kalyans-Mac-mini:21-04-Kubernetes-RBAC-ClusterRole-ClusterRoleBinding kalyanreddy$
# Clean-Up Clusters Delete Clusters aksdemo3, aksdemo4
Go to All Services -> Resource Groups -> Delete Resource group aks-rg3
Go to All Services -> Resource Groups -> Delete Resource group aks-rg4
# Delete Azure AD Users & Groups
# Users
- user1aksadmin@stacksimplifygmail.onmicrosoft.com
- aksdev1@stacksimplifygmail.onmicrosoft.com
- aksread1@stacksimplifygmail.onmicrosoft.com
# Groups
- k8sadmins
- devaksteam
- aksreadonly