AKS setting up user/group RBAC

Wiring up your Azure AD users to your AKS cluster seems to be a good way to go about managing and securing resources. 

AKS has some built in cluster role that we can use. But i think many would end up creating their own special roles. 

- cluster-admin

- admin

-edit 

-view 

Quick and dirty way to use existing cluster role are as follows (if you wanted to test some stuff out) 

Setting up by group 

kubectl create clusterrolebinding <name of your cluster role binding> --clusterrole=view --group=<Azure AD group object ID>

Setting up by user 

kubectl create clusterrolebinding <name of your cluster role binding> --clusterrole=view --user=<Azure AD user object ID>

A more formal way of doing it 

role.yaml

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: dev-user-full-access

  namespace: dev

rules:

- apiGroups: ["", "extensions", "apps"]

  resources: ["*"]

  verbs: ["*"]

- apiGroups: ["batch"]

  resources:

  - jobs

  - cronjobs

  verbs: ["*"]

 

Then define the rolebinding 

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: dev-user-access

  namespace: dev

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: Role

  name: dev-user-full-access

subjects:

- kind: Group

  namespace: dev

  name: groupObjectId

 

And we're done!