If you have seen some of my previous blog post about Azure Kubernetes Service (AKS) then you will have noticed that I always build my AKS cluster with Azure Active Directory (Azure AD) integration. I.e. an Azure AD Server and Client Application. This helps me manage access to my cluster by using users and groups from my Azure AD. I can also configure kubernetes Role-Based Access Control (RBAC) using the users and groups. Below I will walk through how to create the required Azure AD components that you will need to use to create your AKS cluster.
Note: You can not use Azure AD integration on an existing cluster.
Prerequisites
You will need Azure CLI version 2.0.61 or later. You can check what version you have by running az –version. You can use the Azure Cloud Shell to perform the below actions. The Cloud Shell should always have the latest version of the Azure CLI.
The account you are using to set up the Azure AD components will also need to be an Azure Tenant administrator.
Enough talk let’s start!
Let’s create the Azure AD server application
To actually integrate Azure AD with your AKS cluster you firstly need to create an Azure AD application that will act as an endpoint for the identity requests. The below command uses the az ad app create command to create the Server application. You will then use the az ad app update command to update the group membership claim.
Open your preferred terminal/shell. I am going to use the Azure Cloud Shell from within the new Windows Terminal app and make sure you are logged in and connected to your Azure subscription.
|
1 2 3 4 5 6 7 8 |
# Set Variable aksname="pixel-aks-cluster" # Create the Azure AD application serverApplicationId=$(az ad app create --display-name "${aksname}-Server" --identifier-uris "https://${aksname}Server" --query appId -o tsv) # Update the application group memebership claims az ad app update --id $serverApplicationId --set groupMembershipClaims=All |
Next, you need to create a Service Principal for the server application. For this, you are going to use the az ad sp create command. You will then use the az ad sp credentials reset command to get the secret. This will be stored in the variable called serverApplicationSecret.
|
1 2 3 4 5 |
# Create a service principal for the Azure AD application az ad sp create --id $serverApplicationId # Get the service principal secret serverApplicationSecret=$(az ad sp credential reset --name $serverApplicationId --credential-description "AKSSecret" --query password -o tsv) |
Now you need to assign some permissions to the Server application. For this, you will use the az ad app permission add command.
|
1 |
az ad app permission add --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 06da0dbc-49e2-44d2-8312-53f166ab848a=Scope 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role |
Finally, it’s time to grant the permissions to the server application. You can see in the screenshot above it says you need to use the az ad app permission grant command to do that. You will also need to add the admin-consent permission to the Server application. You will use az ad app permission admin-consent for that.
|
1 2 |
az ad app permission grant --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000 az ad app permission admin-consent --id $serverApplicationId |
You have now created the Azure Ad Server application. Next, we move on to the client application.
Let’s create the Azure AD client application
Now for the second Azure AD application, this one is the client. This one is used when a user logs to your AKS cluster using kubectl (Kubernetes CLI). Basically this is the application that verifies the users’ credentials and permissions. To create the client application you are going to use the az ad app create command.
|
1 |
clientApplicationId=$(az ad app create --display-name "${aksname}-Client" --native-app --reply-urls "https://${aksname}-Client" --query appId -o tsv) |
Now you need to create a service principal for the client app. To do that you will need to use the az ad sp create command again.
|
1 |
az ad sp create --id $clientApplicationId |
Now you will be getting the oAuth2 ID for the server application. You need this to allow the authentication to flow between the two applications. You will be saving it to a variable which will be used in the next command. You will be using the az ad app show command for this.
|
1 |
oAuthPermissionId=$(az ad app show --id $serverApplicationId --query "oauth2Permissions[0].id" -o tsv) |
Now for the last part of creating the client application. Adding the app permissions. For this, you will use the az ad app permission add command and then the az ad app permission grant command.
|
1 2 |
az ad app permission add --id $clientApplicationId --api $serverApplicationId --api-permissions $oAuthPermissionId=Scope az ad app permission grant --id $clientApplicationId --api $serverApplicationId |
You have now created the two Azure AD applications needed to create an AKS cluster with Azure AD integration.
When you go to create your AKS cluster you are going to need the output of the variables above and also the tenant ID. The below command will get you your tenant ID.
|
1 |
tenantId=$(az account show --query tenantId -o tsv) |
Now, run the below before you close your terminal window and make a copy of it. Save it to LastPass or similar.
|
1 2 3 4 |
echo aad-server-app-id = $serverApplicationId echo aad-server-app-secret = $serverApplicationSecret echo aad-client-app-id = $clientApplicationId echo aad-tenant-id = $tenantId |
And there you have it, you now have everything you need to create your AD integrated AKS cluster. You can now use the Azure CLI, Arm template or Terraform to actually create it. At the time of writing this post, you are unable to create an Azure AD integrated AKS cluster using the Azure Portal.
You can view my blog post about creating an AKS cluster with Azure AD integration at https://pixelrobots.co.uk/2020/01/deploy-aks-with-node-pools-and-aad-authentication-using-arm-templates/
I hope you found this article helpful. If you have any comments or questions please feel free to reach out using the usual methods or by leaving a comment below.
0 Comments