Lab: Create AKS Cluster integrated with Azure AD for RBAC

This lab creates an AKS Cluster with Azure AD Integration for RBAC.

Instructions

1. Need Global Admin Permissions to an Existing Azure AD

   There are two options here. If you have global admin privileges to an existing Azure AD and you are ok with creating new Application Registrations then you can proceed to step 3. If you do not have access to an existing Azure AD, or you want to segregate the users for testing purposes, you need to create a new Azure AD via the Azure Portal.

2. Create new Azure AD Tenant

   • Sign-in to the Azure Portal and click on the + sign to create a new resource
   • Search for Azure Active Directory

   

   • Select Azure AD in the Search Result

   

   • Select Create
   • Provide Organization Name & Domain Name and then select Create

   

3. Create Application Registrations for Server and Client

   • Create Server Application

      # Set Azure AD Server Application ID and Secret
      SERVER_APP_ID=""
      SERVER_APP_SECRET=""
     

   • Create Client Application

      # Set Azure AD Client Application ID
      CLIENT_APP_ID=""
      AZUREAD_TENANT_ID=""
     

   • Get Azure AD Tenant ID (tenantId)

    az account list
    # Set Azure AD Tenant ID
    AZUREAD_TENANT_ID=""
   

4. Create AKS Cluster with Azure AD RBAC

    # Create Resource Group
    USERINITIALS="<REPLACE-WITH-USER-INITIALS-LOWERCASE>"
    RG="${USERINITIALS}aksrbac-rg"
    LOC="eastus"
    NAME="${USERINITIALS}aksrbac"
    az group create --name $RG --location $LOC
   
    PATH_TO_SSH_PUBLICKEY="~/.ssh/id_rsa.pub"
    # Create AKS with RBAC Cluster
    az aks create -g $RG -n $NAME --enable-rbac \
        -k 1.12.8 --node-count 1 --ssh-key-value $PATH_TO_SSH_PUBLICKEY \
        --aad-server-app-id $SERVER_APP_ID \
        --aad-server-app-secret $SERVER_APP_SECRET \
        --aad-client-app-id $CLIENT_APP_ID \
        --aad-tenant-id $AZUREAD_TENANT_ID --no-wait
   

5. Create Two User Accounts in Azure AD

   • Name the first account aksadmin
   • Name the second account aksuser
   • Click here for an example of how to create users in Azure AD.

6. Create RBAC Binding to the two users created

   • Update the user name in the aksrbac-clusteradmin.yaml with the aksadmin user.
   • Update the user name in the aksrbac-viewdefault.yaml with the aksuser user.

      az aks get-credentials -g $RG -n $NAME --admin
      kubectl apply -f aksrbac-clusteradmin.yaml
      kubectl apply -f aksrbac-viewdefault.yaml
     

7. Get New AKS Cluster Credentials for use with Azure AD

   • Pull down the Azure AD Cluster Credentials

      az aks get-credentials -g $RG -n $NAME
     

   • Try to get the list of AKS Nodes, this should prompt for Credentials

    # If you login with the aksadmin account you will be able to see the nodes.
    # If you login with the aksuser account the request will be denied.
    kubectl get nodes
   

Troubleshooting / Debugging

• Check to make sure that the correct Azure AD Permissions were selected and the Grant Permissions step was executed when creating the Server and Client Azure AD Application Registrations.
• Check to make sure the correct Application IDs, Secrets and Tenant ID were used when creating the cluster.
• Check to make sure the correct UPNs were used when creating the ClusterRoleBinding and RoleBinding.

Docs / References

• What is an Azure AD Tenant?
• Creating Azure AD Users
• Kubernetes RBAC Authorization