Azure RBAC for Kubernetes Authorization without Managed Azure AD integration

[Tetradeus]

What happened:
When we want to create a private cluster with a custom private Dns Zone, it looks like we cannot use Managed Azure AD integration. https://docs.microsoft.com/en-us/azure/aks/private-clusters#configure-private-dns-zone

If we want to use Azure RBAC for Kubernetes Authorization, we are forced to use Managed Azure AD principal.
https://docs.microsoft.com/en-us/azure/aks/manage-azure-rbac

Is this only a current preview limitation ? Would we be allowed to use Azure RBAC for Kubernetes Authorization with a non managed Azure AD principal or is there a real limitation ?

Environment:

• Kubernetes version 19
• Private Cluster with custom DNS zone
• Non managed azure ad principal

Hi Tetradeus, AKS bot here 👋
Thank you for posting on the AKS Repo, I'll do my best to get a kind human from the AKS team to assist you.

I might be just a bot, but I'm told my suggestions are normally quite good, as such:

1. If this case is urgent, please open a Support Request so that our 24/7 support team may help you faster.
2. Please abide by the AKS repo Guidelines and Code of Conduct.
3. If you're having an issue, could it be described on the AKS Troubleshooting guides or AKS Diagnostics?
4. Make sure your subscribed to the AKS Release Notes to keep up to date with all that's new on AKS.
5. Make sure there isn't a duplicate of this issue already reported. If there is, feel free to close this one and '+1' the existing issue.
6. If you have a question, do take a look at our AKS FAQ. We place the most common ones there!

[miwithro]

@Tetradeus no this works currently. You can deploy 1.19, with a private cluster integrated with Azure.

[Tetradeus]

Hi @miwithro , yes it works.
But when you want to use a custom private Dns zone (not system assigned), you cannot use System assigned managed identity.
I did not really understand why System assigned managed identity is required to use Azure RBAC for Kubernetes Authorization, so I wanted to know if we could allow/enable it without System assigned managed identity.

Thanks.

Triage required from @Azure/aks-pm

Action required from @Azure/aks-pm

[miwithro]

@Tetradeus this only works with User assigned Managed Identity.

[Tetradeus]

All right, so there is no plan to make it works without it ? I was not sure if it was heavily linked behind the scene.

[miwithro]

Correct. The main reason is customers won't know the object id of the system assigned identity before cluster creation, so the permission needed for BYO route table can't be granted before cluster creating, which will cause cluster creation error.

Triage required from @Azure/aks-pm