From f5be62730ef07751edd062437f22c6be5395f47d Mon Sep 17 00:00:00 2001 From: Jeff Kwan Date: Thu, 11 Jan 2018 16:09:22 -0500 Subject: [PATCH] Updated documentation to include group usage (#2037) Also added the groups OIDC claim --- docs/clusterdefinition.md | 1 + docs/kubernetes/aad.md | 9 +++++++-- pkg/acsengine/defaults-apiserver.go | 1 + 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/clusterdefinition.md b/docs/clusterdefinition.md index 0e838bd6cb..cf43c6b9b8 100644 --- a/docs/clusterdefinition.md +++ b/docs/clusterdefinition.md @@ -325,6 +325,7 @@ Below is a list of apiserver options that are *not* currently user-configurable, |"--cloud-provider"|"azure" (*unless useCloudControllerManager is true*)| |"--cloud-config"|"/etc/kubernetes/azure.json" (*unless useCloudControllerManager is true*)| |"--oidc-username-claim"|"oid" (*if has AADProfile*)| +|"--oidc-groups-claim"|"groups" (*if has AADProfile*)| |"--oidc-client-id"|*calculated value that represents OID client ID* (*if has AADProfile*)| |"--oidc-issuer-url"|*calculated value that represents OID issuer URL* (*if has AADProfile*)| diff --git a/docs/kubernetes/aad.md b/docs/kubernetes/aad.md index 4ff0b11cc0..bb703d36ae 100644 --- a/docs/kubernetes/aad.md +++ b/docs/kubernetes/aad.md @@ -8,7 +8,7 @@ Please also refer to [Azure Active Directory plugin for client authentication](h ## Prerequision 1. An Azure Active Directory tenant, will refer as `AAD Tenant`. You can use the tenant for your Azure subscription; -2. A `Web app / API` type AAD application, will refer as `Server Application`. This application represents the `apiserver`; +2. A `Web app / API` type AAD application, will refer as `Server Application`. This application represents the `apiserver`; For groups to work properly, you'll need to edit the `Server Application` Manifest and set `groupMembershipClaims` to either `All` or `SecurityGroup`. 3. A `Native` type AAD application, will refer as `Client Application`. This application is for user login via `kubectl`. You'll need to add delegated permission to `Server Application`, please see [troubleshooting](#loginpageerror) section for detail. ## Deployment @@ -46,10 +46,15 @@ Following instructions are for turnning on RBAC manually together with AAD integ ``` kubectl create clusterrolebinding aad-default-cluster-admin-binding --clusterrole=cluster-admin --user={UserName} ``` -For example, if your `IssuerUrl` is `https://sts.windows.net/e2917176-1632-47a0-ad18-671d485757a3/`, and your `ObjectID` is `22fa281b-bf62-4b14-972c-0dbca24a25a2`, the command would be: +For example, if your `IssuerUrl` is `https://sts.windows.net/e2917176-1632-47a0-ad18-671d485757a3/`, and your User `ObjectID` is `22fa281b-bf62-4b14-972c-0dbca24a25a2`, the command would be: ``` kubectl create clusterrolebinding aad-default-cluster-admin-binding --clusterrole=cluster-admin --user=https://sts.windows.net/e2917176-1632-47a0-ad18-671d485757a3/#22fa281b-bf62-4b14-972c-0dbca24a25a2 ``` +4. (Optional) Add groups into your admin role +For example, if your `IssuerUrl` is `https://sts.windows.net/e2917176-1632-47a0-ad18-671d485757a3/`, and your Group `ObjectID` is `7d04bcd3-3c48-49ab-a064-c0b7d69896da`, the command would be: +``` +kubectl create clusterrolebinding aad-default-group-cluster-admin-binding --clusterrole=cluster-admin --group=7d04bcd3-3c48-49ab-a064-c0b7d69896da +``` 4. Turn on RBAC on master nodes. On master nodes, edit `/etc/kubernetes/manifests/kube-apiserver.yaml`, add `--authorization-mode=RBAC` under `command` property. Reboot nodes. diff --git a/pkg/acsengine/defaults-apiserver.go b/pkg/acsengine/defaults-apiserver.go index 39a75088a8..724efc099b 100644 --- a/pkg/acsengine/defaults-apiserver.go +++ b/pkg/acsengine/defaults-apiserver.go @@ -64,6 +64,7 @@ func setAPIServerConfig(cs *api.ContainerService) { // AAD configuration if cs.Properties.HasAadProfile() { staticLinuxAPIServerConfig["--oidc-username-claim"] = "oid" + staticLinuxAPIServerConfig["--oidc-groups-claim"] = "groups" staticLinuxAPIServerConfig["--oidc-client-id"] = "spn:" + cs.Properties.AADProfile.ServerAppID issuerHost := "sts.windows.net" if GetCloudTargetEnv(cs.Location) == "AzureChinaCloud" {