So hopefully you have seen my previous blog (Create Azure AD Server and Client apps using Azure CLI for an AKS deployment) where I created two Azure AD applications that are needed to create an AKS cluster with Azure AD integration.
Below I will go through the steps you will need to perform to create the AKS cluster.
Prerequisites
- You will need to have:
- aad-server-app-id
- aad-server-app-secret
- aad-client-app-id
- aad-tenant-id
Hopefully, you will have this stored safely. If you do not have it follow the blog post mentioned above first.
You will need Azure CLI version 2.0.76 or later. You can check what version you have by running az –version. You can use the Azure Cloud Shell to perform the below actions. The Cloud Shell should always have the latest version of the Azure CLI.
The account you are using to set up the Azure AD components will also need to be an Azure Tenant administrator.
Enough talk lets start!
Time to deploy the cluster
First, you will need to create a resource group. You can do that by using the az group create command.
1 |
az group create --name Pixel-AKS-UKS --location UKSouth |
Now you will use the az aks create command to actually start the creation of the AKS cluster. This will create the AKS cluster with 2 nodes in a nodepool, using VM Scale Sets (VMSS) and use the default VM size of Standard_DS2_v2. You can read more about the available switch’s at https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-create
If you are following on from the blog post linked above then you will only have to change the resource group name to match the one you used above and the number of nodes you would like to have. If you are using the information you have stored previously then you will need to edit the below command to add your information in.
1 |
az aks create --resource-group Pixel-AKS-UKS --name $aksname --node-count 2 --vm-set-type VirtualMachineScaleSets --load-balancer-sku standard --generate-ssh-keys --aad-server-app-id $serverApplicationId --aad-server-app-secret $serverApplicationSecret --aad-client-app-id $clientApplicationId --aad-tenant-id $tenantId |
This can take some time, but once finished you should have something like the image below.
Now its time to get the cluster-admin credentials using the az aks get-credentials command. This will allow you to connect to the AKS cluster using the admin credentials. Do not do this every time you need to connect. Below I will show you how to create the RBAC bindings to allow you to use your Azure AD credentials to log into the AKS cluster.
1 |
az aks get-credentials --resource-group Pixel-AKS-UKS --name $aksname --admin |
Create RBAC Bindings
So, before you can actually use your Azure AD credentials to log into your AKS cluster you need to create a cluster role binding. I recommend creating this for the User who is going to look after the whole cluster. Probably you who is setting it up.
First, you will need to get your User Principal Name (UPN). To do that you can use the az ad command. The command below will get the UPN of the signed-in user.
1 |
az ad signed-in-user show --query userPrincipalName -o tsv |
Now you need to create a YAML file which you will then apply to the AKS cluster. I recommend using visual studio code for this. You will need to edit the YAML file to add your UPN on to the last line.
1 2 3 4 5 6 7 8 9 10 11 12 |
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: aks-cluster-admins roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: Richard.Hooper@pixelrobots.co.uk |
Note: The UPN (email address) is case sensitive it seems.
It’s now time to apply the RBAC to your cluster. To do that you are going to use the kubectl apply -f command.
In your terminal window navigate to the location you have saved the YAML file. I have saved it in the root to make life easy. I have also called it RBAC.yaml.
1 |
kubectl apply -f RBAC.yaml |
Time to connect to the cluster
Finally, its time to test you can log into the cluster using Azure AD. For this we are going to use the az aks get-credentials command again, but this time without the –Admin at the end.
1 |
az aks get-credentials --resource-group Pixel-AKS-UKS --name $aksname |
Now that you have the AKS context set as the current one you can now use the kubectl command to interact with the cluster. You should be asked to log in to Azure also. So, if you use the below command it will ask you to log in via the browser and then give you a list of the kubernetes nodes.
1 |
kubectl get nodes |
This will cache the authentication token for your AKS cluster. You will be re-prompted to sign in and when the token has expired for your kubernetes config file is re-created.
Well, there you have it, you have created an AKS cluster using the Azure CLI. I hope you found this article helpful. If you have any comments or questions please feel free to reach out using the usual methods or by leaving a comment below.
0 Comments