Reading Time: 5 minutes
Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

If you have seen some of my previous blog post about Azure Kubernetes Service (AKS) then you will have noticed that I always build my AKS cluster with Azure Active Directory (Azure AD) integration. I.e. an Azure AD Server and Client Application. This helps me manage access to my cluster by using users and groups from my Azure AD. I can also configure kubernetes Role-Based Access Control (RBAC) using the users and groups. Below I will walk through how to create the required Azure AD components that you will need to use to create your AKS cluster.

Note: You can not use Azure AD integration on an existing cluster.

Prerequisites

You will need Azure CLI version 2.0.61 or later. You can check what version you have by running az –version. You can use the Azure Cloud Shell to perform the below actions. The Cloud Shell should always have the latest version of the Azure CLI.

The account you are using to set up the Azure AD components will also need to be an Azure Tenant administrator.

Enough talk let’s start!

Let’s create the Azure AD server application

To actually integrate Azure AD with your AKS cluster you firstly need to create an Azure AD application that will act as an endpoint for the identity requests. The below command uses the az ad app create command to create the Server application. You will then use the az ad app update command to update the group membership claim.

Open your preferred terminal/shell. I am going to use the Azure Cloud Shell from within the new Windows Terminal app and make sure you are logged in and connected to your Azure subscription.

Next, you need to create a Service Principal for the server application. For this, you are going to use the az ad sp create command. You will then use the az ad sp credentials reset command to get the secret. This will be stored in the variable called serverApplicationSecret.

Now you need to assign some permissions to the Server application. For this, you will use the az ad app permission add command.

Finally, it’s time to grant the permissions to the server application. You can see in the screenshot above it says you need to use the az ad app permission grant command to do that. You will also need to add the admin-consent permission to the Server application. You will use az ad app permission admin-consent for that.

You have now created the Azure Ad Server application. Next, we move on to the client application.

Let’s create the Azure AD client application

Now for the second Azure AD application, this one is the client. This one is used when a user logs to your AKS cluster using kubectl (Kubernetes CLI). Basically this is the application that verifies the users’ credentials and permissions. To create the client application you are going to use the az ad app create command.

Now you need to create a service principal for the client app. To do that you will need to use the az ad sp create command again.

Now you will be getting the oAuth2 ID for the server application. You need this to allow the authentication to flow between the two applications. You will be saving it to a variable which will be used in the next command. You will be using the az ad app show command for this.

Now for the last part of creating the client application. Adding the app permissions. For this, you will use the az ad app permission add command and then the az ad app permission grant command.

You have now created the two Azure AD applications needed to create an AKS cluster with Azure AD integration.

When you go to create your AKS cluster you are going to need the output of the variables above and also the tenant ID. The below command will get you your tenant ID.

Now, run the below before you close your terminal window and make a copy of it. Save it to LastPass or similar.

And there you have it, you now have everything you need to create your AD integrated AKS cluster. You can now use the Azure CLI, Arm template or Terraform to actually create it. At the time of writing this post, you are unable to create an Azure AD integrated AKS cluster using the Azure Portal.

You can view my blog post about creating an AKS cluster with Azure AD integration at https://pixelrobots.co.uk/2020/01/deploy-aks-with-node-pools-and-aad-authentication-using-arm-templates/

I hope you found this article helpful. If you have any comments or questions please feel free to reach out using the usual methods or by leaving a comment below.

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *