Use Azure Active Directory For RBAC In AKS
Michael Levan
Posted on November 23, 2022
In any Kubernetes environment, whether it’s in the cloud or on-prem, there’s going to come a time when you’ll need to have users and other engineers authenticate to the cluster. Whether they need to deploy Kubernetes resources or just list/read them, they’ll need a user to authenticate.
Once authenticated, the user then needs authorization permissions to perform actions on the clustee.
How is authentication and authorization done in Azure? By using Azure Active Directory for RBAC.
In this blog post, you’ll learn how to set up IAM permissions in AKS to utilize Azure Active Directory for a Kubernetes cluster.
What Is Active Directory?
Many large organizations do a lot of things right, but they’re also “known” for a specific tool or technology that they’ve created. Microsoft, known for many things, is especially known for Active Directory.
Active Directory has been the defacto standard for creating authentication and authorization in Windows environments for years. Every Systems Administrator that has ever managed a Windows Server has used Active directory in one way or another. If you’ve never used Active Directory, but have logged into a work computer with a domain account, guess what? You’ve used Active Directory as well.
Because Active Directory has been vetted out for so many years, it’s no wonder that one have Azures most popular services in Active Active Directory, which is the Active Directory that most Sysadmins know, but in the cloud.
So, what is Active Directory?
Essentially, it allows you to log in and perform certain actions on a computer/server. Depending on your permissions, you can do things like write to files, read files, create servers, and any other type of action that can be taken.
Active Directory goes far more in-depth, but this is the high level.
Create An AKS Cluster
Before you can start utilizing Azure Active Directory with AKS, you’ll need an AKS cluster. The code below will create a basic AKS cluster that you can use to test out Azure Active Directory.
If you don’t use Terraform, there are many other methods. Feel free to also use the UI, but as always, it’s recommended to define your infrastructure as code.
First, specify the Azure provider for Terraform
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.0.0"
}
}
}
provider "azurerm" {
features {}
}
Next, specify the AKS resource which will create an AKS cluster with one worker node using an
A-Series VM to keep costs as low as possible for testing.
resource "azurerm_kubernetes_cluster" "k8squickstart" {
name = "akstest"
location = "eastus"
resource_group_name = "resource_group_name
dns_prefix = "${var.name}-dns01"
network_profile {
network_plugin = "azure"
network_policy = "azure"
}
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_A2_v2"
}
identity {
type = "SystemAssigned"
}
tags = {
Environment = "Dev"
}
}
Save the code to a [main.tf](http://main.tf)
file and run it with:
terraform plan
terraform apply
Setting Up Azure Active Directory
As you learned about in the What Is Active Directory? section above, Active Directory is an authentication and authorization tool that you can use to authenticate to servers and perform actions. Because it’s an OIDC provider, Azure Active Directory can be used in Azure environments, like AKS, to manage authentication and authorization.
This is a big deal for Kubernetes because out of the box, Kubernetes doesn’t have an authentication method. It does have an authorization method (RBAC), but as every engineers knows that’s worked with it, it’s a major pain to maintain.
Luckily, theres not much that you need to do to set up Azure Active Directory as it’s always a service in Azure, so it’s “on”.
First, log into the Azure portal.
Once you’re logged in, search for “active directory” and click on the Azure Active Directory service.
Under Manage, click on Users.
Click the + New user dropdown and click Create new user.
Fill in some information about the new user you’re creating and then click the blue Create button.
You should now see that the user has been created.
Now that the authentication piece is complete, you can work on the authorization piece, which is in the next section.
Configuring Azure AD For AKS
For this section, you’ll configure Azure Active Directory authorization for the user that you created in the previous section via AKS.
In Azure, go to your AKS cluster and click on Access control (IAM).
Click the + Add button and then choose the Add role assignment option.
You’ll see a full list of RBAC options. For the purposes of this blog post, choose the Reader option and then click the Members tab.
Click the + Select members button and then choose the new user that you created in the previous section.
Once complete, click the Review + assign button.
The new user has now been added to the AKS cluster as a Reader.
That’s how you can get started using RBAC with Azure Active Directory on AKS. Thanks for reading!
Posted on November 23, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.