Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preparing major changes on access-control-managed-azure-ad.md #118377

Closed
JoeyC-Dev opened this issue Dec 28, 2023 · 5 comments
Closed

Preparing major changes on access-control-managed-azure-ad.md #118377

JoeyC-Dev opened this issue Dec 28, 2023 · 5 comments
Assignees
@MGoedtel
Labels
assigned-to-author azure-kubernetes-service/svc doc-enhancement Pri2 triaged

Comments

@JoeyC-Dev
Copy link
Contributor

JoeyC-Dev commented Dec 28, 2023
edited

As defined in the article "Make major changes to Microsoft Learn documentation", "adding new images or updating images" is considered as major change. As defined in "issue template", it is required to "submit an issue that describes the details of the proposed large change".
So this is why I am submitting this issue before actually making edits.

Purposed change:

  1. Update outdated image under section "Configure just-in-time cluster access with Microsoft Entra ID and AKS", which is talking about how to use PIM.
  2. Add section to introduce how to level permissions(role) under "apply(active)-approve" mode.
  3. Add brief introduction on how to set basic/default role for group, then add external link to the existing how-to tutorial.

If approved, I will submit a PR for it.

For the change 1, since the name of the feature has already been changed, the screenshot should be relatively updated. For example:
image

This will avoid confusion.

For the change 2 and 3, this proposal is based on real scenario. When user wants to set base role and privileged role for PIM, the user is very confusing and have a hard time to combine these concepts together.
Meantime, in most situation, when user wants to use PIM, an approver should be there. There is no introduction/steps or external link directly pointing to that, and this will cost user more time to discover. I believe for a new-comer who only know AKS, it will be ridiculously hard to find the correct method to set-up. For example: it is hard to know that "set role settings" is the correct direction of setting PIM approver, instead of this "approve" chapter.
image

Also, some details are hard for a general user to know: like must use kubelogin to force re-login, build-in roles are not giving default access to scaling nodepool, etc.

Hence, I believe some more steps should be added here. But since the content for these parts is way too much, I decide to create a new article to introduce it.
For the full content of purposed change on 2 and 3, see: main...JoeyC-Dev:azure-docs:aks-pim-with-approver

Another justification of creating a new document instead of replacing: The content of PIM in current document is using "active" to temporarily grant access. However, using "eligible" method and set with approver is common too. There should be two different articles to introduce them in different way. More obviously, steps required to set-up for "apply-approve" mode are more than "temp-directly-grant" mode. It will be confusion if the user only want to set in "temp-directly-grant" mode when user see steps required for "apply-approve" mode (if combining both steps in only one document).

In case you need to verify the last important note in the article, which is regarding to PIM cannot set lower than 60 mins for CLI tools:
image
(Note: I set the max duration of the PIM as 0.5 hours.)

This screenshot is to prove the content of important note in my article:

[!IMPORTANT] Due to the design of token lifetime, if you are granting roles to users who use CLI tools, like kubectl/kubelogin, the duration of activating (granting) roles during approval process technically can not be lower than 60 minutes. Even the duration is being set as 0.5 hours, the actual effective time is still between 60-75 minutes. This is because when kubelogin is trying to get aad tokens from Microsoft identity platform, access_token and refresh_token will be returned for further use. access_token is used to make request to API, and refresh_token is used to get new access_token if the original one is invalid. The access_token cannot be revoked once being generated. Only the refresh_token can be revoked.
In order to manually revoke refresh_token, use Revoke-AzureADUserAllRefreshToken.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
@Naveenommi-MSFT Naveenommi-MSFT self-assigned this Dec 28, 2023
@Naveenommi-MSFT
Copy link
Contributor

@JoeyC-Dev
Thanks for your feedback! We will investigate and update as appropriate.

@Naveenommi-MSFT
Copy link
Contributor

@MGoedtel
Could you please review add comments on this, update as appropriate.

@JoeyC-Dev
Copy link
Contributor Author

JoeyC-Dev commented Dec 29, 2023
edited

Update: content for updates (has not submitted)
main...JoeyC-Dev:azure-docs:aks-pim-with-approver

@Naveenommi-MSFT
Copy link
Contributor

@JoeyC-Dev
Thank you for bringing this to our attention.
I've delegated this to content author @MGoedtel, who will review it and offer their insightful opinions.

@MGoedtel
Copy link
Contributor

Taking this offline with Joey to coordinate and implement the recommended changes. Creating a work item to represent the work we'll be doing to update the article(s).
#please-close

@JoeyC-Dev JoeyC-Dev mentioned this issue Apr 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MGoedtel MGoedtel

Labels
assigned-to-author azure-kubernetes-service/svc doc-enhancement Pri2 triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MGoedtel @Naveenommi-MSFT @JoeyC-Dev