AKS RBAC #104
Comments
|
The links you provided are outdated. I manage to do almost everything stated in the previous links using Terraform, except the "Grant admin consent" part. It implies that you use the last version of the azuread provider (0.4.0). Then the part of the cluster creation: Then, the apply must go in two parts. First, create only the server and clients applications:
Now go on the Azure Portal and Grant admin consent manually (click click!) on both applications (the server, then the client). I didn't manage yet to find how to Terraform that step. I will let you know if I find. Then you can now apply to create everything:
Please let me know if I wasn't clear on some points. |
|
@dbourcet thank you so much for the detailed explanation! I am going to try to implement this right away! If this works as expected, then the issue can be marked as resolved, and sorry for the disturbance! |
|
My pleasure. If it doesn't work for you let me know, as it works for me. Also, if in the future you find a way to Terraform the "Grant admin consent" part, please think of me! |
|
Can confirm that @dbourcet's approach works. Just found out the same configuration (and issue with "Grant admin consent") yesterday. |
|
If you don't mind @dbourcet i am going to add this to the examples folder, please let me know if that's not ok! |
|
@dbourcet correct me if I'm wrong, I remember reading somewhere that it would be best practice to have a third Service Principal(SP) for the cluster's own usage, separate from the RBAC AD Client SP. In this case there would be three SPs in total:
So in terraform terms add the following: resource "azuread_application" "aks_cluster" {
name = "aks-${var.identifier}"
}
resource "azuread_service_principal" "aks_cluster" {
application_id = azuread_application.aks_cluster.application_id
}
resource "random_string" "aks_cluster_password" {
length = 16
special = false
keepers {
service_principal = azuread_service_principal.aks_cluster.id
}
}
resource "azuread_service_principal_password" "aks_cluster_passwod" {
service_principal_id = azuread_service_principal.aks_cluster.id
value = random_string.aks_cluster_password.result
end_date = timeadd(timestamp(), "87600h")
lifecycle {
ignore_changes = [
"end_date"]
}
}I highlighted with comments what would be changed in this case: resource "azurerm_kubernetes_cluster" "this" {
[...]
service_principal {
client_id = azuread_application.aks_cluster.id ############ HERE
client_secret = random_string.aks_cluster_password.result ############ HERE
}
role_based_access_control {
enabled = true
azure_active_directory {
client_app_id = "${azuread_application.client.application_id}"
server_app_id = "${azuread_application.server.application_id}"
server_app_secret = "${azuread_service_principal_password.server.value}"
}
}
}What do you think? |
|
@katbyte : I'm ok if you want to add it to the examples folder but you have to know, I copy/pasted those snippets and remove quickly some business related naming, so there is possibility that some variables/resources names does not match or even that my removal added here or there little syntax errors. Please ensure that this code is Terraform valid and working and tweak it here or there before adding it, to avoid mistakes. |
|
@matelang I didn't read somewhere that this is a best practice, but it doesn't matter: I find it best practice too, as it separate concerns and implements the least privilege principle. I didn't implemented it in my business, as I was in a hurry, so you are on your own if you want to try, but I will sure try one day to do it this way, as I find it more proper and elegant. |
|
@dbourcet I am going to try it as I'm implementing from scratch, if it works I'll confirm here! |
|
@katbyte I just created a project with Terraform files and some documentation: https://github.com/dbourcet/aks-rbac-azure-ad |
|
Some good work here chaps. The problem is not so much automation as security in my opinion. You have to have global admin to grant consent which means if you want to automate it, your pipeline needs god mode on your entire tenant. So for now there's still a manual step. |
|
I agree. As I don't want my pipeline to be in god mode, I am still stuck with the manual step of Granting consent by clicking in the Azure portal. My business needs allows me to include this manual step, but nevertheless it bothers me. |
|
@dbourcet we are dealing with this exact problem today, and are looking for a solution. What would even be the god mode solution? It doesn't look like service principals can grant consent, only users can? |
|
👋 I agree, great work here everyone. I have also been working on automating this workflow end-to-end using Terraform. @dbourcet I have tested it and the Configure Kubernetes RBAC section could also be implemented in Terraform using the kubernetes provider in a third run: Terraform Kubernetes Provider Cluster Role Binding @matelang I also have the same questions about that possible third service principal and I am interested in more info around the security of this. @jpreese The admin consent can now be granted via Azure CLI as opposed to the Azure Portal UI so I am investigating using that via local-exec but there is a chance this is still an out-of-band step that comes with security considerations:
|
|
@mocofound it can be done with the azure CLI, yes, but can it be done when you are logged in as a service principal? We would like to use a service principal to grant consent as this will be done in automation. |
|
@mocofound Using @matelang remark, we manage to configure RBAC with a third run: see this. @jpreese The god mode solution is using local-exec and a CLI call, as suggested by @mocofound, as you are authenticated with your user account when Terraform runs, but I don't understand yet either if this comes with security considerations. |
|
@dbourcet the issue is that we run terraform in automation, in a pipeline, logged in as a service amount. We're not logged in as a user. So until Microsoft allows that to happen we'll most likely need to run the manual step. |
|
It's indeed a bit weird having an extra manual step in the lifecycle of the project.
I know it's not nice, but this way I do not introduce anything "extra" in the DSL or local-exec, and 99% of the times there is no required intervention. Well, the 1% is still ugly :) Maybe it's off topic but do you have working example for terraform configuration for AKS to access a ACR (container registry)? |
|
There are two ways to access ACR. Using the AKS Service Principal, or with a kubernetes secret. https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-aks You can either use Terraform to apply the RBACpermissions to the ACR to allow the AKS SPN, or you can use the Terraform Kubernetes provider to inject the secret. |
|
Thanks @PirateBread, I'd prefer the solution to grant access to AKS to pull containers from ACR. I have a bit of confusion figuring out how the following script from the link you provided would translate into terraform. #!/bin/bash
AKS_RESOURCE_GROUP=myAKSResourceGroup
AKS_CLUSTER_NAME=myAKSCluster
ACR_RESOURCE_GROUP=myACRResourceGroup
ACR_NAME=myACRRegistry
# Get the id of the service principal configured for AKS
CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)
# Get the ACR registry resource id
ACR_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv)
# Create role assignment
az role assignment create --assignee $CLIENT_ID --role acrpull --scope $ACR_ID |
|
You would have to use this: https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html What this is doing is granting your AKS service principal the role of AcrPull over your ACR container registry. You can define the scope against just the individual ACR, the resource group, or the entire subscription, whatever you feel best meets your requirements. |
|
Thanks @PirateBread for the example. I am now enlightened, so I consider it done, since I guess there is nothing we could potentially do about the manual step anymore. |
|
Hello, What is the reason to do like:
It's seems like you want to do it manually not more. It' not improve security in fully automated pipelines. Why not allow to grant admin consent to who run TF script execution? If it allowed to deploy and run TF scripts there is no more security to wit till fail then manual grant and run again. |
|
Hi @lzadjsf, I am all in on having a fully automated solution but in my opinion there is no point adding a workaround for something that you are probably going to have to do just once - the app authorization. When proper support will be added to terraform I guess it makes total sense to have it also authorize the app, but this highly depends on the organization and the authority of the teams in your environment. I have seen orgs having priviliged teams / pipelines taking care of IAM. I hope I could clarify my point of view. |
|
I was able to create a workaround for this by adding a provisioner to the "azuread_service_principal" resource to run the grant command. This assumes that your terraform runner has the Azure CLI installed. |
|
After beating my head against this for some time, here is what I have that applies successfully, combining all examples above. My apologies for not clearing out our variable conventions. After this, we can no longer use kubectl and I'm not sure why. |
|
As has been discussed, you are able to use Terraform to configure the necessary app registrations, service principals and related API permissions to enable AAD RBAC for AKS (thanks @dbourcet and @matelang for the config examples!). The issue of requiring admin consent is generally considered best practise to perform out of band, by a human operator (and to this end you can only do this when authenticated as a user and not as a service principal). See https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent and https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-admin-consent This does present a workflow where manual steps are required, but there's not much more we can reasonably do here as it's by design. That said, I believe it's now possible to configure AAD integration using an AKS preview that doesn't require admin consent (caveat: I haven't tried it and it does say you will require new clusters) - see https://docs.microsoft.com/en-us/azure/aks/managed-aad Accordingly, I'm going to close this issue as resolved, but please feel free to comment if I have missed something. Thanks! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
ghost
locked and limited conversation to collaborators
Community Note
Description
The AzureRM provider enables you to define a managed Kubernetes cluster (AKS) on Azure.
There is a possibility to enable RBAC(Role Based Access Control) which tightly integrates Kubernetes' authentication and authorization with Azure Active Directory.
In order for that to be enabled you have to define the following block on the
azurerm_kubernetes_cluster:After some documentation I realized that there is no possibility to set this feature up end to end by using plain terraform.
The following blog post depicts how you need to create a server application, update its manifest, create and assign a client application to be able to set RBAC up correctly:
https://blog.jcorioland.io/archives/2018/11/20/azure-aks-kubernetes-rbac-azure-active-directory-terraform.html
Also there is a GitHub repository automating most of the above from the same author:
https://github.com/jcorioland/aks-rbac-azure-ad
Is it possible to add support for the AD related steps from the above installation scenario?
Thanks.
New or Affected Resource(s)
TBD
Potential Terraform Configuration
TBD
References
https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
https://github.com/jcorioland/aks-rbac-azure-ad
https://blog.jcorioland.io/archives/2018/11/20/azure-aks-kubernetes-rbac-azure-active-directory-terraform.html
The text was updated successfully, but these errors were encountered: