The purpose of this repository is to show how to manage RBAC in Azure Kubernetes Service (AKS) using Entra ID users.
- Azure Subscription
- Azure CLI
- Terraform
- kubectl
- kubelogin
- Taskfile
Start by creating the test stack:
-
Navigate to the terraform directory.
-
Modify the locals file by updating the value of
authorized_ip(you can optionally modify the tags too). -
Run the following commands:
terraform init terraform plan terraform apply
This should create 4 resources in total.
Next, follow these steps:
-
Access your new Kubernetes cluster with
task kubeadminaccess. This will retrieve the admin kubeconfig from Azure and also ensure thatkubectlandkubeloginare properly configured. -
Open and modify one of the manifest files in the manifests directory(using frontend.yaml for this example) to include the Entra ID user or Group Object ID you want to add and configure:
--- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: frontend-developer-role-binding namespace: frontend-app-1 subjects: - kind: User # or Group name: # user upn or group object id apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: edit apiGroup: rbac.authorization.k8s.io
Apply it with either
kubectl apply -f manifests/frontend.yamlortask fe. This will create a Namespace, RoleBinding, and a testing Pod. -
After adding your user account (or the group you're assigned to) to the
frontend-developer-role-bindingRoleBinding, retrieve the user access token withtask kubeuseraccess. You should now be able to:-
Access the frontend-app-1 namespace:
kubectl get pods -n frontend-app-1
-
Access the frontend-app-1 pod:
kubectl logs <pod-name> -n frontend-app-1
-
Enter a pod's shell:
kubectl exec -it <pod-name> -n frontend-app-1 -- /bin/bash
-