1

I deployed my application pods in azure kubernetes service through VSTS. I have idea on kubernetes with RBAC on on-premise cluster through create users. Now what i want to do is like create some roles and assign different permissions on kubernetes resources for my developers and testers as well in azure kubernetes service. I researched on this and gone through differents links, but i didn't get any proper idea on that. As per my understanding, we can assign permissions for roles only users who have access on Azure Active Directory. if i am wrong Could anybody correct me.

I found one way like OpenID Connect Tokens. For this i referred the following link. but i don't have idea on what exactly identity provider is and how to generate the different tokens from Identity provider and client id and client token which are mentioned in the above link?

Could anybody help me out to do RBAC in Azure Kubernetes Service or Any alternative ways for this rather than which i mentioned above?

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
BSG
  • 673
  • 2
  • 13
  • 33

1 Answers1

1

You can use Azure AD RBAC and or internal k8s RBAC (which is exactly the same as the one on your on-premises cluster).

For Azure AD RBAC you would use the same approach as for the internal k8s users, but you'd need to bind roles to Azure AD entities:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 name: binding_name
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: "azure_ad_group_guid"

For internal k8s RBAC read the official doc.

For Azure AD RBAC read the official doc

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • Note that k8 RBAC is disabled by default in Azure (at least when you create Kubernetes Service via Web UI). So, you need to check the box RBAC to enable it. – Rafał Leszko Mar 04 '19 at 08:23
  • Hello 4c74356b41. Could you suggest any link for creating roles and rolebindings in azure kubernetes service? – BSG Mar 04 '19 at 13:38
  • there is a link in the answer, whats wrong with that? – 4c74356b41 Mar 04 '19 at 13:39
  • Actually, i am new to azure.so, i don't have idea on how to give exact user details( related to Azure AD) in role and rolebindings. – BSG Mar 04 '19 at 13:44
  • go to the portal >> azure ad blade >> user (or group) >> find user (group) in question >> objectid. – 4c74356b41 Mar 04 '19 at 13:46
  • Can i give the objectid directly in rolebinding file instead of user under subjects? – BSG Mar 04 '19 at 17:40
  • no, you have to specify subjects (which are entities you give permissions to) – 4c74356b41 Mar 04 '19 at 17:49
  • i didn't get you. can i specify the objectid of user under subjects entity? – BSG Mar 04 '19 at 18:16
  • yes you can, change kind to User and specify user GUID – 4c74356b41 Mar 04 '19 at 18:23
  • yeah, i replaced as you suggested and created. Now i trying to list the pods with command `kubectl get pods -n development1 --user=developer-role`. but getting error like `error: auth info "developer-role" does not exist`. Here `development1` is Namespace and `developer-role` is the role which i was created. Is there any necessity to create context for namespace with user? – BSG Mar 04 '19 at 18:30
  • i suggest you accept this answer and start a new question, this is far too derailed – 4c74356b41 Mar 04 '19 at 18:40
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/189412/discussion-between-gayathrib-and-4c74356b41). – BSG Mar 04 '19 at 19:08