英文:
Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?
问题
I have a service principal which is an Owner on the subscription that I am using to create an Azure Kubernetes Service cluster as part of a script. I want my cluster to use:
Kubernetes RBAC --> enable
AKS-managed AAD --> enable
Local accounts --> disabled
I would like the same Service Principal creating the cluster to be able to create k8s roles and role bindings however in order to do this the Service Principal seems to need a cluster-admin role binding.
When creating the cluster there is the option of adding an array of "admin group object ids" which seems to create cluster-admin role bindings for AD Groups. However the SPN cannot be a part of a Group.
Is there anyway around this process?
英文:
I have a service principal which is an Owner on the subscription that I am using to create an Azure Kubernetes Service cluster as part of a script. I want my cluster to use:
Kubernetes RBAC --> enable
AKS-managed AAD --> enable
Local accounts --> disabled
I would like the same Service Principal creating the cluster to be able to create k8s roles and role bindings however in order to do this the Service Principal seems to need a cluster-admin role binding.
When creating the cluster there is the option of adding an array of "admin group object ids" which seems to create cluster-admin role bindings for AD Groups. However the SPN cannot be a part of a Group.
Is there anyway around this process?
答案1
得分: 1
以下是翻译好的部分:
I tried to reproduce the same in my environment and got the results as below:
在我的环境中,我尝试复制相同的操作,并获得以下结果:
To assign Azure Kubernetes Service RBAC Cluster Admin to service principal you can make use of below cli command:
要将Azure Kubernetes服务RBAC集群管理员分配给服务主体,您可以使用以下CLI命令:
az role assignment create --assignee <appId> --scope <resourceScope> --role Azure Kubernetes Service RBAC Cluster Admin
When I run this command kubernetes roles are added successfully like below
当我运行此命令时,Kubernetes角色会成功添加,如下所示:
Alternatively, In azure AD create a group add service principal as a member like below:
或者,可以在Azure AD中创建一个组,将服务主体添加为成员,如下所示:
Now, Add the group in cluster configuration like below
现在,将该组添加到集群配置中,如下所示:
You can use the below the cli command to create the aks cluster using service principal like below:
您可以使用以下CLI命令来创建AKS集群,使用服务主体,如下所示:
az aks create \
--resource-group myResourceGroup \
--name myAKSCluster \
--service-principal <appId> \
--client-secret <password>
Reference:
英文:
I tried to reproduce the same in my environment and got the results as below:
To assign Azure Kubernetes Service RBAC Cluster Admin to service principal you can make use of below cli command:
az role assignment create --assignee <appId> --scope <resourceScope> --role Azure Kubernetes Service RBAC Cluster Admin
When I run this command kubernetes roles are added successfully like below
Alternatively, In azure AD create a group add service principal as a member like below:
Now, Add the group in cluster configuration like below
You can use the below the cli command to create the aks cluster using service principal like below:
az aks create \
--resource-group myResourceGroup \
--name myAKSCluster \
--service-principal <appId> \
--client-secret <password>
Reference:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论