AKS secured by Azure Active Directory base on MS Graph instead of AAD Graph.
Official Azure doc here.
Similar repo here but out-of-date..
AKS will be configured to use Azure AD for user authentication. In this configuration, you can sign in to an AKS cluster by using your Azure AD authentication token.
# "resourceAppId": "00000002-0000-0000-c000-000000000000" >> refers to the Azure Active Directory Graph
# "resourceAppId": "00000003-0000-0000-c000-000000000000" >> refers to the Microsoft Graph API
More details which one is recommended is explained here.
MS Graph manifest is here.
Azure AD Graph manifest is here.
Server app is using by default MS Graph:
--required-resource-accesses @manifest.json
Details are here.
# load vars
$ export AD_SERVER_APP_NAME="AKSAzureADServer" &&\
export AD_SERVER_APP_URL="https://aksadserver" &&\
export AD_SERVER_APP_SECRET="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')"
# run and check the output
$ ./server-ad-app.sh
For MS Graph:
[optional] For Azure AD Graph:
Details are here.
# load vars from the server script
$ export AD_SERVER_APP_ID=<> &&\
export AD_SERVER_APP_OAUTH2PERMISSIONS_ID=<> &&\
export AD_SERVER_APP_SECRET=<>
# load vars
$ export AD_CLIENT_APP_NAME="AKSAzureADClient" &&\
export AD_CLIENT_APP_URL="https://aksadclient"
# run and check the
$ ./client-ad-app.sh
It's optional, can be enabled/switched here.
Details are here.
# load vars from the client script
export TF_VAR_rbac_server_app_id=<> &&\
export TF_VAR_rbac_server_app_secret=<> &&\
export TF_VAR_rbac_client_app_id=<>
export TF_VAR_tenant_id=<> &&\
export TF_VAR_client_id=<> &&\
export TF_VAR_client_secret=<>
cd ./aks
terraform init
terraform plan -out out.plan
terraform apply out.plan
Details are here.
# load env vars
$ CLUSTER_NAME=aadk8s
$ RESOURCE_GROUP_NAME=aadk8srg
# create user
$ az ad user create --display-name <display_name> --password <password> --user-principal-name <username>@<E-mail of LifeID>.onmicrosoft.com
# ADMIN
$ az aks get-credentials -n $CLUSTER_NAME -g $RESOURCE_GROUP_NAME --admin
# edit 'rbac/rbac-aad-user.yaml' with your user: '<username>@<E-mail of LifeID>.onmicrosoft.com'
$ k apply -f rbac/rbac-aad-user.yaml
$ az aks get-credentials -n $CLUSTER_NAME -g $RESOURCE_GROUP_NAME
# USER
$ k get namespaces
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CSNWAJ34U to authenticate.
NAME STATUS AGE
default Active 16m
kube-node-lease Active 16m
kube-public Active 16m
kube-system Active 16m
$ k get pods
No resources found in default namespace.