Enable AAD RBAC (#114)

* Enable AAD RBAC * Fixed kubelogin flag * azurerm 2.x compatability
microsoft · Aug 26, 2022 · 6d5d273 · 6d5d273
1 parent 534b4d6
commit 6d5d273
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -118,3 +118,5 @@ override.tf
 queryable_schemas/
 
 .metals/
+
+kubeconfig
diff --git a/deployment/Dockerfile b/deployment/Dockerfile
@@ -34,6 +34,12 @@ RUN echo "deb https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/
 RUN apt-get update
 RUN apt-get install helm=3.5.0-1
 
+# Install kubelogin
+
+RUN curl -sL https://github.com/Azure/kubelogin/releases/download/v0.0.18/kubelogin-linux-amd64.zip --output kubelogin.zip \
+    && unzip -j kubelogin.zip bin/linux_amd64/kubelogin -d /usr/local/bin/ \
+    && rm -rf kubelogin.zip
+
 # Install azure client
 RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
 

diff --git a/deployment/bin/lib b/deployment/bin/lib
@@ -72,7 +72,19 @@ function cluster_login() {
     az aks get-credentials \
         --resource-group ${RESOURCE_GROUP} \
         --name ${CLUSTER_NAME} \
-        --subscription ${ARM_SUBSCRIPTION_ID}
+        --subscription ${ARM_SUBSCRIPTION_ID} \
+        --file=kubeconfig
+
+    # kubelogin mutates every entry in the kubeconfig
+    # https://github.com/Azure/kubelogin/issues/87.
+    # So we export to a kubeconfig file
+    echo "Converting kubeconfig..."
+    kubelogin convert-kubeconfig \
+        --login spn \
+        --client-id ${ARM_CLIENT_ID} \
+        --client-secret ${ARM_CLIENT_SECRET} \
+        --kubeconfig=kubeconfig
+    export KUBECONFIG=kubeconfig
 }
 
 function setup_helm() {

diff --git a/deployment/terraform/resources/aks.tf b/deployment/terraform/resources/aks.tf
@@ -22,6 +22,20 @@ resource "azurerm_kubernetes_cluster" "pc" {
     type = "SystemAssigned"
   }
 
+  role_based_access_control {
+    enabled = true
+    azure_active_directory {
+      managed = true
+      azure_rbac_enabled = true
+    }
+
+  }
+  # TODO(azurerm 3.x)
+  # azure_active_directory_role_based_access_control {
+  #   managed = true
+  #   azure_rbac_enabled = true
+  # }
+
   tags = {
     Environment = var.environment
     ManagedBy   = "AI4E"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -118,3 +118,5 @@ override.tf
		queryable_schemas/

		.metals/

		kubeconfig