How to configure RBAC for human user in AKS without Azure AD Integration

Currently Azure recommend to use AAD Integration with AKS if there is requirement for human user rbac management.

Since AKS is a managed kubernetes cluster, user won’t be able to get the access to the CA private key. If we want to sign client certificate for different user, we could use ‘ certificates.k8s.io’.

Note: The AKS version in this blog is v1.21.7.

Below are detailed steps.

1. Install cfssl/openssl in your local environment
2. We are going to create a CSR and private key for user named ‘testuser1’

cat <<EOF | cfssl genkey - | cfssljson -bare testuser1
{
"CN": "testuser1",
"key": {
"algo": "rsa",
"size": 4096
}
}
EOF

3. Send the CSR to apiserver

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: testuser1
spec:
  request: $(cat testuser1.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - client auth
  signerName: kubernetes.io/kube-apiserver-client
EOF

4. Get the CSR approved

kubectl certificate testuser1 apporve

5. Download the issued certificate

kubectl get csr testuser1-o jsonpath='{.status.certificate}' | base64 -d > testuser1.pem

6. Configure the kubeconfig file

kubectl config set-cluster

kubectl config set-credential

kubectl config set-context

Configure Access to Multiple Clusters

7. Configure the rbac

Before we configure the rbac

kubectl get po
Error from server (Forbidden): pods is forbidden: User “testuser1” cannot list resource “pods” in API group “” in the namespace “default”

After we configure the rbac

kubectl create clusterrolebinding testuser1 --clusterrole=cluster-admin --user=testuser1
kubectl get po 
No resource found

It needs some manual work to distribute the certificate to different user but doesn’t require AAD integration.