0

I have a service principal which is an Owner on the subscription that I am using to create an Azure Kubernetes Service cluster as part of a script. I want my cluster to use:

Kubernetes RBAC --> enable
AKS-managed AAD --> enable
Local accounts  --> disabled

I would like the same Service Principal creating the cluster to be able to create k8s roles and role bindings however in order to do this the Service Principal seems to need a cluster-admin role binding.

When creating the cluster there is the option of adding an array of "admin group object ids" which seems to create cluster-admin role bindings for AD Groups. However the SPN cannot be a part of a Group.

Is there anyway around this process?

floaty39
  • 47
  • 4

1 Answers1

1

I tried to reproduce the same in my environment and got the results as below:

To assign Azure Kubernetes Service RBAC Cluster Admin to service principal you can make use of below cli command:

az role assignment create --assignee <appId> --scope <resourceScope> --role Azure Kubernetes Service RBAC Cluster Admin

enter image description here

When I run this command kubernetes roles are added successfully like below

enter image description here

Alternatively, In azure AD create a group add service principal as a member like below:

enter image description here

Now, Add the group in cluster configuration like below

enter image description here

You can use the below the cli command to create the aks cluster using service principal like below:

az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --service-principal <appId> \
    --client-secret <password>

Reference:

Use a service principal with Azure Kubernetes Services (AKS) - Azure Kubernetes Service | Microsoft Learn

Imran
  • 3,875
  • 2
  • 3
  • 12
  • Thanks! I didn't know that SPN's could be part of a Group. I think what I want is to add the Service Principal as a member of an AD Group and then add that group to the cluster admin group ids list. – floaty39 Feb 17 '23 at 08:43