Account Management on Azure AKS with AAD and AKS RBAC

4 min readJan 9, 2021

Account Management on Azure AKS with AAD and AKS RBAC

Image: https://docs.microsoft.com/en-us/azure/aks/concepts-identity#azure-role-based-access-control-azure-rbac

From official:

There are different ways to authenticate, control access/authorize and secure Kubernetes clusters. Using Kubernetes role-based access control (Kubernetes RBAC), you can grant users, groups, and service accounts access to only the resources they need. With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure by using Azure Active Directory and Azure RBAC. These approaches help you secure your cluster access and provide only the minimum required permissions to developers and operators.

Kubernetes doesn’t provide an identity management solution to control which users can interact with what resources. Instead, you typically integrate your cluster with an existing identity solution. Therefore, in AKS, we use

Azure Active Directory(AAD) for authentication and
AKS RBAC for authorization

Steps:

Azure AKS with AAD enabled.
Create AAD user and configure AKS RBAC for AAD user.
Assign privilege to AAD user, so user is allowed to download AKS access credential.
Login the AAD user and verify if the privileges are working.

STEP 1

You need an AKS integrated(enabled) with AAD. You can enable it during AKS creation,

or later using GUI,

or later using Azure CLI.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad

Please note that once AKS AAD is enabled, it CANNOT be disabled.

STEP 2

Create AAD user. In K8S we use role-based access control (RBAC) to grant users, groups, and service accounts access to only the resources they need. We do it by using

role and rolebinding, which is limited to particular namespace
clusterrole and clusterrolebinding which has access to whole cluster

In this demo, I will perform clusterrole and clustrrolebinding on a particular AAD user. First you need to get the AAD user id or email.

# Get User ID, email works too
USER_ID=$(az ad user show --id \
  UR_USER_NAME@xxxx.onmicrosoft.com \
  --query objectId --out tsv)

Next you prepare clusterrole.yaml file with allowed actions to particular resources in it.

Next you prepare clusterrolebinding.yaml to bundle the privilege to, in my case, an user.

Apply both yaml files to AKS.

#Login your Azure account first
kubectl apply -f clusterrole.yaml
kubectl apply -f clusterrolebinding.yaml

STEP 3

Assign the user with “Azure Kubernetes Service Cluster User Role” so the user can download AKS access credential. You can assign it by using GUI or CLI.

#Login your Azure account first
az login# Get AKS ID
AKS_ID=$(az aks show \
  --resource-group myResourceGroup \
  --name myAKSCluster \
  --query id -o tsv)# Get User ID
USER_ID=$(az ad user show --id \
  UR_USER_NAME@xxxx.onmicrosoft.com \
  --query objectId --out tsv)# Assign role to user
az role assignment create \
  --assignee $USER_ID \
  --role "Azure Kubernetes Service Cluster User Role" \
  --scope $AKS_ID

Click into your AAD user and verify the role is properly assigned.

Step 4

First, use az login to sign in with the AAD user identity,

Check your login information.

az ad signed-in-user show | grep userPrincipalName

follow by obtaining AKS access credential.

az aks get-credentials --resource-group ystakstestCU \
  --name ystakstestCU

Now let’s try if we can perform actions to AKS. You will be asked to login again which your login credential will be compared against AKS RBAC, which are the two yaml files we configured in STEP 2.

Right after we sign in, we can then perform actions allowed in clusterrole.yaml. Since create and delete privileges are not granted to this particular user, let’s try if it is working as expected.