Hi Andre,
Here is what I have found when setting up for the Azure AD authentication with Azure RBAC.
I did this:
- Created the cluster with this authentication option above
- Created a new AAD group name aks-admins.
- Added the aks-admins group to the role Azure Kubernetes Service RBAC Cluster Admin role.
- Added two other groups, on for namespace admins (aks-blog-admins) and aks-blog-users. Assigned these to the Azure Kubernetes Service Cluster User Role.
- I then decided to log in using my Azure admin subscription id. Just as a test, I decided to try to create a namespace. This is what I saw.
PS C:\Users\larrywa> kubectl create namespace blog
Unable to connect to the server: getting credentials: exec: executable kubelogin not found
It looks like you are trying to use a client-go credential plugin that is not installed.
To learn more about this feature, consult the documentation available at:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
- Did some reading, decided to go install kubelogin from https://github.com/Azure/kubelogin#setup.
- Added my external Hotmail account to the aks-blog-user group which should only have access to the blog namespace.
- When logging in to Azure in PowerShell, it told me that it could not authenticate and gave me other options like az login –tenant <mytenantId>. I tried this and logged in.
- It is interesting that now I find that my login can do anything in any namespace, not just the blog namespace.
Shouldn't my login only be able to do things in the blog namespace?
Thanks!
Microsoft