Logging AAD username of AKS-AAD integrated Clusters
- Create an AAD Group in Azure Active Directory
We take the ObjectId of this Group as we’ll need to add it later at the cluster creation time
2. We create an AKS-AAD integrated cluster for testing purpose with the Azure CLI:
az aks create -g aad -n aad — enable-aad — aad-admin-group-object-ids 7938ded3–6d6d-4116-b5d0–8ac7f734ec68 — aad-tenant-id 716e7f5b-8914–47f5–85f0–84db07e6xxxx — enable-azure-rbac — node-count 1 — generate-ssh-keys
3. Create an AAD User and assign to the aksadmin Group
4. Assign permission for respective Group
AKS_ID=$(az aks show — resource-group aad — name aad — query id -o tsv)
az role assignment create — assignee 7938ded3–6d6d-4116-b5d0–8ac7f734ec68 — role “Azure Kubernetes Service Cluster User Role” — scope $AKS_ID
5. Creating Role/RoleBinding for that cluster. For this step, we need to get credentials for admin user (az aks get-credentials -n aks -g aks –admin)
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-user-full-access
rules:
- apiGroups: [“”, “extensions”, “apps”]
resources: [“*”]
verbs: [“*”]
- apiGroups: [“batch”]
resources:
- jobs
- cronjobs
verbs: [“*”]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-user-access
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dev-user-full-access
subjects:
- kind: Group
namespace: default
name: 7938ded3–6d6d-4116-b5d0–8ac7f734ec68
6. Login with AAD User (aksdev@…onmicrosoft.com) and execute some operations on the cluster level, in our case we ran a test nginx Pod
7. We assume that we enabled the kube-audit and kube-audit-admin Settings in Log Analytics for this AKS Cluster.
Execute the following Kusto query:
AzureDiagnostics
| where log_s contains “nginx”
| where log_s contains “aksdev”
or
AzureDiagnostics
| where TimeGenerated > ago(4h)
| where Category contains ‘kube-audit’
| project TimeGenerated, Category , pod=tostring(pod_s), log=tostring(log_s)
| where log contains “ResponseComplete”
| extend audit=parse_json(log)
| project TimeGenerated, pod, requestURI=tostring(audit.requestURI), verb=tostring(audit.verb), status=tostring(audit.responseStatus.code), userAgent=tostring(audit.userAgent), user=tostring(audit.user.username),latency=datetime_diff(‘millisecond’, todatetime(audit.stageTimestamp), todatetime(audit.requestReceivedTimestamp)), audit
| where user !in (“aksService”, “masterclient”, “nodeclient”)
| sort by TimeGenerated asc
| summarize count() by user, userAgent
In the log_s part of the result will find the user that executed that operation: