Account Management on Azure AKS with AAD and AKS RBAC

Account Management on Azure AKS with AAD and AKS RBAC

Image: https://docs.microsoft.com/en-us/azure/aks/concepts-identity#azure-role-based-access-control-azure-rbac

There are different ways to authenticate, control access/authorize and secure Kubernetes clusters. Using Kubernetes role-based access control (Kubernetes RBAC), you can grant users, groups, and service accounts access to only the resources they need. With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure by using Azure Active Directory and Azure RBAC. These approaches help you secure your cluster access and provide only the minimum required permissions to developers and operators.

Kubernetes doesn’t provide an identity management solution to control which users can interact with what resources. Instead, you typically integrate your cluster with an existing identity solution. Therefore, in AKS, we use

  • Azure Active Directory(AAD) for authentication and
  • AKS RBAC for authorization
  1. Azure AKS with AAD enabled.
  2. Create AAD user and configure AKS RBAC for AAD user.
  3. Assign privilege to AAD user, so user is allowed to download AKS access credential.
  4. Login the AAD user and verify if the privileges are working.

You need an AKS integrated(enabled) with AAD. You can enable it during AKS creation,

Account Management on Azure AKS with AAD and AKS RBAC

or later using GUI,

Account Management on Azure AKS with AAD and AKS RBAC

or later using Azure CLI.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad

Please note that once AKS AAD is enabled, it CANNOT be disabled.

Create AAD user. In K8S we use role-based access control (RBAC) to grant users, groups, and service accounts access to only the resources they need. We do it by using

  • role and rolebinding, which is limited to particular namespace
  • clusterrole and clusterrolebinding which has access to whole cluster

In this demo, I will perform clusterrole and clustrrolebinding on a particular AAD user. First you need to get the AAD user id or email.

# Get User ID, email works too
USER_ID=$(az ad user show --id \
UR_USER_NAME@xxxx.onmicrosoft.com \
--query objectId --out tsv)

Next you prepare clusterrole.yaml file with allowed actions to particular resources in it.

Account Management on Azure AKS with AAD and AKS RBAC

Next you prepare clusterrolebinding.yaml to bundle the privilege to, in my case, an user.

Account Management on Azure AKS with AAD and AKS RBAC

Apply both yaml files to AKS.

#Login your Azure account first
kubectl apply -f clusterrole.yaml
kubectl apply -f clusterrolebinding.yaml
Account Management on Azure AKS with AAD and AKS RBAC

Assign the user with “Azure Kubernetes Service Cluster User Role” so the user can download AKS access credential. You can assign it by using GUI or CLI.

#Login your Azure account first
az login
# Get AKS ID
AKS_ID=$(az aks show \
--resource-group myResourceGroup \
--name myAKSCluster \
--query id -o tsv)
# Get User ID
USER_ID=$(az ad user show --id \
UR_USER_NAME@xxxx.onmicrosoft.com \
--query objectId --out tsv)
# Assign role to user
az role assignment create \
--assignee $USER_ID \
--role "Azure Kubernetes Service Cluster User Role" \
--scope $AKS_ID
Account Management on Azure AKS with AAD and AKS RBAC

Click into your AAD user and verify the role is properly assigned.

Account Management on Azure AKS with AAD and AKS RBAC

First, use az login to sign in with the AAD user identity,

Account Management on Azure AKS with AAD and AKS RBAC

Check your login information.

az ad signed-in-user show | grep userPrincipalName

Account Management on Azure AKS with AAD and AKS RBAC

follow by obtaining AKS access credential.

az aks get-credentials --resource-group ystakstestCU \
--name ystakstestCU
Account Management on Azure AKS with AAD and AKS RBAC

Now let’s try if we can perform actions to AKS. You will be asked to login again which your login credential will be compared against AKS RBAC, which are the two yaml files we configured in STEP 2.

Account Management on Azure AKS with AAD and AKS RBAC

Right after we sign in, we can then perform actions allowed in clusterrole.yaml. Since create and delete privileges are not granted to this particular user, let’s try if it is working as expected.

Account Management on Azure AKS with AAD and AKS RBAC

And if you would check the ./kube/config file, before the second login, users section look as below.

Account Management on Azure AKS with AAD and AKS RBAC

After second login, more data will be added into the file, don’t forget to check it out!

Use Azure Active Directory

Best practices for authentication and authorization in Azure Kubernetes Service (AKS)

Kubernetes role-based access control (Kubernetes RBAC)

Control access to cluster resources using Kubernetes role-based access control and Azure Active Directory identities in Azure Kubernetes Service

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.