devopsguide.in

AKS 22 -What Is Azure AD Integration for RBAC?

Azure AD integration allows you to control access to your AKS cluster using Azure AD identities (users, groups, service principals). It replaces static Kubernetes user management with centralized identity and access control

✅ Benefits

FeatureBenefit
Centralized IdentityUse existing Azure AD users/groups for Kubernetes access.
Granular Access ControlAssign roles like admin, reader, developer using Kubernetes RBAC.
Audit & ComplianceTrack access via Azure AD logs and policies.
SecurityAvoid managing Kubernetes certificates manually.

🛠️ How It Works

  1. Azure AD authenticates the user.
  2. Kubernetes RBAC authorizes the user based on their assigned role.
  3. Access is granted or denied accordingly.

🔧 How to Enable Azure AD Integration

1. Create AKS Cluster with Azure AD Integration

az aks create \
  --resource-group <rg-name> \
  --name <cluster-name> \
  --enable-aad \
  --aad-admin-group-object-ids <group-object-id> \
  --enable-azure-rbac \
  ...
  • --enable-aad: Enables Azure AD authentication.
  • --aad-admin-group-object-ids: Specifies Azure AD group(s) with admin access.
  • --enable-azure-rbac: Uses Azure RBAC instead of native Kubernetes RBAC.

You can also enable this on an existing cluster using az aks update.

Assign Azure Roles to Users/Groups

Use Azure built-in roles like:

  • Azure Kubernetes Service Cluster Admin Role
  • Azure Kubernetes Service Cluster User Role
az role assignment create \
  --assignee <user-object-id> \
  --role "Azure Kubernetes Service Cluster Admin Role" \
  --scope /subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.ContainerService/managedClusters/<cluster-name>

Access the Cluster

Once roles are assigned:

  • Users can run az aks get-credentials to get kubeconfig.
  • Use kubectl to interact with the cluster.

Optional: Use Native Kubernetes RBAC

If you prefer Kubernetes-native RBAC:

  • Skip --enable-azure-rbac
  • Create RoleBinding or ClusterRoleBinding manually:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dev-read-access
subjects:
- kind: User
  name: user@yourdomain.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

Leave a Reply

Your email address will not be published. Required fields are marked *