Join Kubernetes to Azure AD for authentication
Published in
1 min readApr 27, 2018
This article will discuss on configuring the authenticating kubernetes with azure Active Directory.
1- We need to create two apps
first app is — webapp- kubeapi server using below commands
az ad app create — native-app false — display-name APP_NAME — homepage SOME_HOME_PAGE — identifier-uris SOMEURI
second app is native app — kubectl server
az ad app create — native-app true — display-name Native_App_Name — homepage SOME_HOME_PAGE — required-resource-accesses @manifest.json
where manifest.json
[
{
"resourceAppId":"kubectlapp-id","resourceAccess":[{"id":"kubeapiapp-id","type":"Scope"}]}]
configure kubectl config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data:
server: https://
name: sandbox
contexts:-
context:
cluster: sandbox
user:
name: ps
current-context: p
kind:
Configpreferences:
{}
users:-
name:
user:
auth-provider:
config:
environment: AzurePublicCloud
apiserver-id:
client-id:
tenant-id:
name: azure
create a role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: aad-cluster-admin
roleRef: apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: https://sts.windows.net/#tenant-id/#username
modify a kubectlapiserver.yml file
--authorization-mode=RBAC"
- "--oidc-client-id=spn:"kubeapiapp-id
- "--oidc-issuer-url=https://sts.windows.net/tenat-id/"
- "--oidc-username-claim=upn