Rbac aad practice #16
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Create Azure Key Vault to hold secrets Enable K8S cluster managed identity to fetch them * Deploy Azure Key Vault Provider for Secrets Store CSI Driver to K8S cluster, in order to enable fetching of Azure Key Vault stored secrets to Pods. Signed-off-by: Harri Hirvonsalo <[email protected]>
…ory and Kubernetes RBAC
Moved TODOs in the beginning Added note about destroying and applying the cluster Added link
JouHouFin
commented
Apr 8, 2021
Comment on lines
+91
to
+100
| role_based_access_control { | ||
| enabled = true | ||
| azure_active_directory { | ||
| managed = true | ||
| admin_group_object_ids = [ | ||
| "93b4062c-6cf4-4ed3-af28-9633d2785bda" | ||
| ] | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
This is one essential part of enabling AAD integration for K8S cluster.
JouHouFin
commented
Apr 8, 2021
Comment on lines
+1
to
+14
| kind: Role | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: dev-user-full-access | ||
| namespace: dev | ||
| rules: | ||
| - apiGroups: ["", "extensions", "apps"] | ||
| resources: ["*"] | ||
| verbs: ["*"] | ||
| - apiGroups: ["batch"] | ||
| resources: | ||
| - jobs | ||
| - cronjobs | ||
| verbs: ["*"] |
There was a problem hiding this comment.
These create the roles that can be used to limit access via RBAC.
JouHouFin
commented
Apr 8, 2021
Comment on lines
+1
to
+14
| kind: Role | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: sre-user-full-access | ||
| namespace: sre | ||
| rules: | ||
| - apiGroups: ["", "extensions", "apps"] | ||
| resources: ["*"] | ||
| verbs: ["*"] | ||
| - apiGroups: ["batch"] | ||
| resources: | ||
| - jobs | ||
| - cronjobs | ||
| verbs: ["*"] |
There was a problem hiding this comment.
These create the roles that can be used to limit access via RBAC.
JouHouFin
commented
Apr 8, 2021
Comment on lines
+1
to
+13
| kind: RoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: dev-user-access | ||
| namespace: dev | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: dev-user-full-access | ||
| subjects: | ||
| - kind: Group | ||
| namespace: dev | ||
| name: 6301165d-4aac-45d5-a8b5-373bc6520e2f |
There was a problem hiding this comment.
These create the rolebindings that can be used to limit access via RBAC. Groups must be created with azure cli or some other way.
JouHouFin
commented
Apr 8, 2021
Comment on lines
+1
to
+13
| kind: RoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: sre-user-access | ||
| namespace: sre | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: sre-user-full-access | ||
| subjects: | ||
| - kind: Group | ||
| namespace: sre | ||
| name: 785e6c8f-6e5f-4543-a88d-fa391591ea61 |
There was a problem hiding this comment.
These create the rolebindings that can be used to limit access via RBAC. Groups must be created with azure cli or some other way.
JouHouFin
commented
Apr 8, 2021
Comment on lines
+86
to
+104
| #### 5. Role-based access control (RBAC), Azure Active Directory (AAD) and namespaces | ||
|
|
||
| To enable RBAC through AAD via this Terraform plan the following steps were done: | ||
|
|
||
| 1. Added a role_based_access_control-block to resource "azurerm_kubernetes_cluster" found in modules/k8s/main.tf. | ||
| - that block contains an array named admin_group_object_ids, which contains the id of an AD group. That AD group contains admins of the cluster. Currently, creating the group and adding admins is a manual process. The group id can be queried via Azure CLI or Azure Portal. | ||
| 2. After enabling AAD/RBAC, K8S csi driver installation needs sufficient K8S cluster credentials. One easy way of providing them is to use kubeconfig with --admin flag: | ||
| - `az aks get-credentials -g <RESOURCE_GROUP_NAME> -n <CLUSTER_NAME> --admin`. This creates an entry in the kubeconfig (default path is ~/.kube/config). | ||
| 3. Added following lines to provider "helm" in modules/k8s_csi_driver_azure/main.tf: | ||
| - `config_path = "~/.kube/config"` | ||
| - `config_context = "<ADMIN_CONTEXT_NAME_HERE>"` | ||
| - Note: do not specify username and password if using kubeconfig to authenticate. | ||
| 4. Then, this guide was followed: https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac with following exceptions: | ||
| - In step `Create demo users in Azure AD`, new users weren't created. Instead, | ||
| $AKSDEV_ID and $AKSSRE_ID were replaced by existing users' ids. | ||
| - Note: if you are in the cluster admin AD group, you will see all cluster resources regardless of whether you use cluster admin or cluster user context (acquired via the az aks get-credentials command). | ||
| - Note: if you destroy the resources and then apply them again, you may need to acquire new credentials to kubeconfig to be able to install the K8S CSI driver. | ||
|
|
||
| After doing those steps, with your cluster user credentials, you should only be able to see and modify resources in specific namespaces. |
There was a problem hiding this comment.
These steps document how to enable AAD-assisted RBAC in K8S cluster
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Request for comments