How to configure RBAC for human user in AKS without Azure AD Integration
Currently Azure recommend to use AAD Integration with AKS if there is requirement for human user rbac management.
Since AKS is a managed kubernetes cluster, user won’t be able to get the access to the CA private key. If we want to sign client certificate for different user, we could use ‘ certificates.k8s.io’.
Note: The AKS version in this blog is v1.21.7.
Below are detailed steps.
- Install cfssl/openssl in your local environment
- We are going to create a CSR and private key for user named ‘testuser1’
cat <<EOF | cfssl genkey - | cfssljson -bare testuser1
{
"CN": "testuser1",
"key": {
"algo": "rsa",
"size": 4096
}
}
EOF3. Send the CSR to apiserver
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: testuser1
spec:
request: $(cat testuser1.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
signerName: kubernetes.io/kube-apiserver-client
EOF4. Get the CSR approved
kubectl certificate testuser1 apporve5. Download the issued certificate
kubectl get csr testuser1-o jsonpath='{.status.certificate}' | base64 -d > testuser1.pem6. Configure the kubeconfig file
kubectl config set-cluster
kubectl config set-credential
kubectl config set-context
7. Configure the rbac
Before we configure the rbac
kubectl get poError from server (Forbidden): pods is forbidden: User “testuser1” cannot list resource “pods” in API group “” in the namespace “default”
After we configure the rbac
kubectl create clusterrolebinding testuser1 --clusterrole=cluster-admin --user=testuser1kubectl get po
No resource found
It needs some manual work to distribute the certificate to different user but doesn’t require AAD integration.
