How to configure RBAC for human user in AKS without Azure AD Integration

2 min readJul 11, 2019


Currently Azure recommend to use AAD Integration with AKS if there is requirement for human user rbac management.

Since AKS is a managed kubernetes cluster, user won’t be able to get the access to the CA private key. If we want to sign client certificate for different user, we could use ‘

Note: The AKS version in this blog is v1.21.7.

Below are detailed steps.

  1. Install cfssl/openssl in your local environment
  2. We are going to create a CSR and private key for user named ‘testuser1’
cat <<EOF | cfssl genkey - | cfssljson -bare testuser1
"CN": "testuser1",
"key": {
"algo": "rsa",
"size": 4096

3. Send the CSR to apiserver

cat <<EOF | kubectl apply -f -
kind: CertificateSigningRequest
name: testuser1
request: $(cat testuser1.csr | base64 | tr -d '\n')
- digital signature
- key encipherment
- client auth

4. Get the CSR approved

kubectl certificate testuser1 apporve

5. Download the issued certificate

kubectl get csr testuser1-o jsonpath='{.status.certificate}' | base64 -d > testuser1.pem

6. Configure the kubeconfig file

kubectl config set-cluster

kubectl config set-credential

kubectl config set-context

7. Configure the rbac

Before we configure the rbac

kubectl get poError from server (Forbidden): pods is forbidden: User “testuser1” cannot list resource “pods” in API group “” in the namespace “default”

After we configure the rbac

kubectl create clusterrolebinding testuser1 --clusterrole=cluster-admin --user=testuser1kubectl get po 
No resource found

It needs some manual work to distribute the certificate to different user but doesn’t require AAD integration.




Interested in CloudNative | CKA&Azure Associate Admin&ITIL |