Connecting to Azure AD Integrated — AKS Cluster through User Managed Identity (non-interactive)
By leveraging Azure AD integration with AKS cluster we could simplify the process of authentication across our organization and increase the security posture of Kubernetes environments.
Deploying an AKS Cluster with Azure AD Integration can be found on the Microsoft Learn documentation link, this can be configured once the initial AKS installation or it can be added after initial deployment. Once we deploy the AKS cluster, the main tools used to interact with it, would be through kubectl binary. On a first command executed across AKS cluster with kubectl, it will require a token to be used across the API Server. The login methos is interactive, it means it will need user interaction to provide an user name and password. Respective user needs to have the necessary roles assigned based on the organization policy.
Another method to be used for interacting with an AKS cluster will be authentication with a User Managed Identity assigned on an Azure Virtual Machine that will generate the token with the help of kubelogin binary.
These are the steps to achieve this setup:
1. Create or update an AKS cluster with Azure AD RBAC integration by following the provided documentation
https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac
2. Create an User Managed Identity on Azure Portal or CLI:
az identity create -g aad -n aadtest
In our case, it is named aadtest and is created in aad Resource Group.
3. Creating a VM that will be used as a Bastion host to connect to our AKS cluster.
4. In the VM/Identity blade, we’ll assign the previous created User Managed Identity:
5. In AKS/IAM Blade, we would need to assign the necessary roles in order to have necessary permissions over this cluster. In our case, it will be a built-in role of Azure Kubernetes Service RBAC Admin. Based on the requirements, it could be granular.
6. 1. We need to install necessary tools on the Virtual Machine. Hence, we’ll connect on this resource through SSH/RDP and deploy following packages:
- Initialize the OS Repository. In our example, being Ubuntu, we’ll issue the
sudo apt update
- Azure CLI — To interact with Azure resources in Subscription:
sudo apt install azure-cli
We need to login on the Subscription with our previous created Identity (aadtest). For this one we’ll use the command az login and the client-id ad the username:
az login - identity - username "xxxxxxxx33cc34"
- We get the credentials to connect to our AKS Cluster:
az aks get-credentials -n aksrbac -g aad
- Installing kubectl and kubelogin binaries:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
wget https://github.com/Azure/kubelogin/releases/download/v0.0.32/kubelogin-linux-amd64.zip
unzip ./kubelogin-linux-amd64.zip
Need to make sure that both files are placed in our Path, for this we could move them for example in the /usr/bin directory. It is necessary in this step to use our root used for this operations.
7. 1. At this point, we could connect to our AKS cluster, but on the first login, we’ll have an interactive session where user needs to open a web browser and provide the code for authentication. In order to make this step non-interactive, we’ll instruct the kubectl to use the configuration based on a generated token specific to our UMI client-id by kubelogin binary. For this, we’ll use the following command:
kubelogin convert-kubeconfig -l msi - client-id xxxxxxxx33cc34
The new format of kubeconfig file will be as follows:
users:
- name: clusterUser_aad_aksrbac
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- get-token
- --login
- msi
- --server-id
- xxxxx3630
- --client-id
- xxxxxcc34
command: kubelogin
env: null
installHint: |2
kubelogin is not installed which is required to connect to AAD enabled cluster.
To learn more, please go to https://aka.ms/aks/kubelogin
In this way you can use to powerful features of Azure AD (Entra) to use across you AKS resources.