Exercise Overview: This exercise focuses on setting up an Azure Kubernetes Service (AKS) cluster with Azure Active Directory (Azure AD) integration. Azure AD integration allows for user authentication, role-based access control (RBAC), and enhanced security within AKS.
- Azure CLI
- kubectl
- Azure AD Account
- Azure AD Group (Admins)
- Azure AD User (Normal User)
Creates an Azure Resource Group for organizing and managing resources.
az group create --location westeurope --resource-group demo-weu-rg
Generates a Service Principal for AKS with the necessary permissions.
az ad sp create-for-rbac --skip-assignment -n "spn-aks"
NOTE: Replace placeholders in --subscription
, --service-principal
, and --client-secret
with actual values.
Deploys an AKS cluster with specified configurations.
az aks create \
--location westeurope \
--subscription <Your-Subscription-ID> \
--resource-group demo-weu-rg \
--name <Your-AKS-Cluster-Name> \
--ssh-key-value $HOME/.ssh/id_rsa.pub \
--service-principal "<Your-Service-Principal-ID>" \
--client-secret "<Your-Client-Secret>" \
--network-plugin kubenet \
--load-balancer-sku standard \
--outbound-type loadBalancer \
--node-vm-size Standard_B2s \
--node-count 1 \
--tags 'ENV=Demo' 'OWNER=Corporation Inc.'
Create an empty Azure AD group named "AKS-Admin" to be used for AKS administrators.
az ad group create --display-name AKS-Admin --mail-nickname AKS-Admin
Update the AKS cluster to enable Azure AD integration and associate the AKS-Admin group with administrative privileges.
az aks update -g demo-weu-rg -n <Your-AKS-Cluster-Name> --enable-aad --aad-admin-group-object-ids "PROVIDE_OBJECT_ID_FROM_AAD"
Retrieve the kubeconfig file for AKS cluster access.
az aks get-credentials \
--resource-group demo-weu-rg \
--name <Your-AKS-Cluster-Name>
Verify the availability and status of AKS cluster nodes.
kubectl get nodes
Check and add a user to the AKS-Admin group for administrative privileges.
az ad group member check --group AKS-Admin --member-id "USER_OBJECT_ID"
Ensure that the user with admin privileges can access and manage AKS nodes.
kubectl get nodes
Retrieve the Azure AD user's object ID or email for further configuration.
USER_ID=$(az ad user show --id UR_USER_NAME@xxxx.onmicrosoft.com --query objectId --out tsv)
Apply ClusterRole and ClusterRoleBinding yaml files for role-based access control.
kubectl apply -f files/clusterrole.yaml
kubectl apply -f files/clusterrolebinding.yaml
Assign the Azure Kubernetes Service Cluster User Role to the specified user, allowing them to download AKS access credentials.
az login
AKS_ID=$(az aks show --resource-group demo-weu-rg --name <Your-AKS-Cluster-Name> --query id -o tsv)
USER_ID=$(az ad user show --id UR_USER_NAME@xxxx.onmicrosoft.com --query objectId --out tsv)
az role assignment create \
--assignee $USER_ID \
--role "Azure Kubernetes Service Cluster User Role" \
--scope $AKS_ID
Check if the user has proper access to the AKS cluster.
az aks get-credentials \
--resource-group demo-weu-rg \
--name <Your-AKS-Cluster-Name>
Deletes the resource group and associated resources.
az group delete -n demo-weu-rg --yes --no-wait