Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?

huangapple go评论50阅读模式
英文:

Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?

问题

I have a service principal which is an Owner on the subscription that I am using to create an Azure Kubernetes Service cluster as part of a script. I want my cluster to use:

Kubernetes RBAC --> enable
AKS-managed AAD --> enable
Local accounts  --> disabled

I would like the same Service Principal creating the cluster to be able to create k8s roles and role bindings however in order to do this the Service Principal seems to need a cluster-admin role binding.

When creating the cluster there is the option of adding an array of "admin group object ids" which seems to create cluster-admin role bindings for AD Groups. However the SPN cannot be a part of a Group.

Is there anyway around this process?

英文:

I have a service principal which is an Owner on the subscription that I am using to create an Azure Kubernetes Service cluster as part of a script. I want my cluster to use:

Kubernetes RBAC --> enable
AKS-managed AAD --> enable
Local accounts  --> disabled

I would like the same Service Principal creating the cluster to be able to create k8s roles and role bindings however in order to do this the Service Principal seems to need a cluster-admin role binding.

When creating the cluster there is the option of adding an array of "admin group object ids" which seems to create cluster-admin role bindings for AD Groups. However the SPN cannot be a part of a Group.

Is there anyway around this process?

答案1

得分: 1

以下是翻译好的部分:

I tried to reproduce the same in my environment and got the results as below:

在我的环境中,我尝试复制相同的操作,并获得以下结果:

To assign Azure Kubernetes Service RBAC Cluster Admin to service principal you can make use of below cli command:

要将Azure Kubernetes服务RBAC集群管理员分配给服务主体,您可以使用以下CLI命令:

az role assignment create --assignee <appId> --scope <resourceScope> --role Azure Kubernetes Service RBAC Cluster Admin

Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?

When I run this command kubernetes roles are added successfully like below

当我运行此命令时,Kubernetes角色会成功添加,如下所示:

Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?

Alternatively, In azure AD create a group add service principal as a member like below:

或者,可以在Azure AD中创建一个组,将服务主体添加为成员,如下所示:

Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?

Now, Add the group in cluster configuration like below

现在,将该组添加到集群配置中,如下所示:

Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?

You can use the below the cli command to create the aks cluster using service principal like below:

您可以使用以下CLI命令来创建AKS集群,使用服务主体,如下所示:

az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --service-principal &lt;appId&gt; \
    --client-secret &lt;password&gt;

Reference:

Use a service principal with Azure Kubernetes Services (AKS) - Azure Kubernetes Service | Microsoft Learn

英文:

I tried to reproduce the same in my environment and got the results as below:

To assign Azure Kubernetes Service RBAC Cluster Admin to service principal you can make use of below cli command:

az role assignment create --assignee &lt;appId&gt; --scope &lt;resourceScope&gt; --role Azure Kubernetes Service RBAC Cluster Admin

Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?

When I run this command kubernetes roles are added successfully like below

Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?

Alternatively, In azure AD create a group add service principal as a member like below:

Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?

Now, Add the group in cluster configuration like below

Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?

You can use the below the cli command to create the aks cluster using service principal like below:

az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --service-principal &lt;appId&gt; \
    --client-secret &lt;password&gt;

Reference:

Use a service principal with Azure Kubernetes Services (AKS) - Azure Kubernetes Service | Microsoft Learn

huangapple
  • 本文由 发表于 2023年2月16日 02:05:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/75463812.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定