智慧物流>> aks-aad>> 返回
项目作者: michalswi

项目描述 :
POC for AKS secured by Azure Active Directory
高级语言: Shell
项目地址: git://github.com/michalswi/aks-aad.git
创建时间: 2020-04-17T12:15:48Z
项目社区:https://github.com/michalswi/aks-aad
开源协议:
下载


Azure Acitve Directory + AKS

AKS secured by Azure Active Directory base on MS Graph instead of AAD Graph.

Official Azure doc here.
Similar repo here but out-of-date..

AKS will be configured to use Azure AD for user authentication. In this configuration, you can sign in to an AKS cluster by using your Azure AD authentication token.

# manifest

Details are here and there.

  1. # "resourceAppId": "00000002-0000-0000-c000-000000000000"   >> refers to the Azure Active Directory Graph
  2. # "resourceAppId": "00000003-0000-0000-c000-000000000000"   >> refers to the Microsoft Graph API

More details which one is recommended is explained here.

MS Graph manifest is here.
Azure AD Graph manifest is here.

Server app is using by default MS Graph:

  1. --required-resource-accesses @manifest.json

# server app

Details are here.

  1. # load vars
  3. $ export AD_SERVER_APP_NAME="AKSAzureADServer" &&\
  4. export AD_SERVER_APP_URL="https://aksadserver" &&\
  5. export AD_SERVER_APP_SECRET="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')"
  8. # run and check the output
  10. $ ./server-ad-app.sh

scopes

For MS Graph:

permissions

[optional] For Azure AD Graph:

permissions_aad

# client app

Details are here.

  1. # load vars from the server script
  3. $ export AD_SERVER_APP_ID=<> &&\
  4. export AD_SERVER_APP_OAUTH2PERMISSIONS_ID=<> &&\
  5. export AD_SERVER_APP_SECRET=<>
  8. # load vars
  10. $ export AD_CLIENT_APP_NAME="AKSAzureADClient" &&\
  11. export AD_CLIENT_APP_URL="https://aksadclient"
  14. # run and check the 
  16. $ ./client-ad-app.sh

scopes

permissions

It’s optional, can be enabled/switched here.

permissions_optionals

# AKS

Details are here.

  1. # load vars from the client script
  3. export TF_VAR_rbac_server_app_id=<> &&\
  4. export TF_VAR_rbac_server_app_secret=<> &&\
  5. export TF_VAR_rbac_client_app_id=<>
  7. export TF_VAR_tenant_id=<> &&\
  8. export TF_VAR_client_id=<> &&\
  9. export TF_VAR_client_secret=<>
  11. cd ./aks
  12. terraform init
  13. terraform plan -out out.plan
  14. terraform apply out.plan

# RBAC

Details are here.

  2. # load env vars
  4. $ CLUSTER_NAME=aadk8s
  5. $ RESOURCE_GROUP_NAME=aadk8srg
  8. # create user
  10. $ az ad user create --display-name <display_name> --password <password> --user-principal-name <username>@<E-mail of LifeID>.onmicrosoft.com
  13. # ADMIN
  15. $ az aks get-credentials -n $CLUSTER_NAME -g $RESOURCE_GROUP_NAME --admin
  17. # edit 'rbac/rbac-aad-user.yaml' with your user: '<username>@<E-mail of LifeID>.onmicrosoft.com'
  18. $ k apply -f rbac/rbac-aad-user.yaml
  20. $ az aks get-credentials -n $CLUSTER_NAME -g $RESOURCE_GROUP_NAME
  23. # USER
  25. $ k get namespaces
  26. To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CSNWAJ34U to authenticate.
  27. NAME              STATUS   AGE
  28. default           Active   16m
  29. kube-node-lease   Active   16m
  30. kube-public       Active   16m
  31. kube-system       Active   16m
  33. $ k get pods
  34. No resources found in default namespace.