Merge pull request #229359 from schaffererin/rbac-k8s-authorization

denrea · web-flow · commit 019e8395a74d · 2023-03-06T16:27:12.000-08:00
Freshness pass and addressing GitIssues
diff --git a/articles/aks/csi-migrate-in-tree-volumes.md b/articles/aks/csi-migrate-in-tree-volumes.md
@@ -508,7 +508,7 @@ For more about storage best practices, see [Best practices for storage and backu
 
 <!-- LINKS - internal -->
 [install-azure-cli]: /cli/azure/install-azure-cli
-[aks-rbac-cluster-admin-role]: manage-azure-rbac.md#create-role-assignments-for-users-to-access-cluster
+[aks-rbac-cluster-admin-role]: manage-azure-rbac.md#create-role-assignments-for-users-to-access-the-cluster
 [azure-resource-locks]: ../azure-resource-manager/management/lock-resources.md
 [csi-driver-overview]: csi-storage-drivers.md
 [aks-storage-backups-best-practices]: operator-best-practices-storage.md
diff --git a/articles/aks/manage-azure-rbac.md b/articles/aks/manage-azure-rbac.md
@@ -1,58 +1,45 @@
 ---
-title: Manage Azure RBAC in Kubernetes From Azure
+title: Use Azure RBAC for Kubernetes Authorization
 titleSuffix: Azure Kubernetes Service
-description: Learn how to use Azure RBAC for Kubernetes Authorization with Azure Kubernetes Service (AKS).
+description: Learn how to use Azure role-based access control (Azure RBAC) for Kubernetes Authorization with Azure Kubernetes Service (AKS).
 ms.topic: article
-ms.date: 02/09/2021
+ms.date: 03/02/2023
 ms.author: jpalma
 author: palma21
 
 #Customer intent: As a cluster operator or developer, I want to learn how to leverage Azure RBAC permissions to authorize actions within the AKS cluster.
 ---
 
-# Use Azure RBAC for Kubernetes Authorization
+# Use Azure role-based access control for Kubernetes Authorization
 
-Today you can already leverage [integrated authentication between Azure Active Directory (Azure AD) and AKS](managed-aad.md). When enabled, this integration allows customers to use Azure AD users, groups, or service principals as subjects in Kubernetes RBAC, see more [here](azure-ad-rbac.md).
-This feature frees you from having to separately manage user identities and credentials for Kubernetes. However, you still have to set up and manage Azure RBAC and Kubernetes RBAC separately. For more details on authentication and authorization with RBAC on AKS, see [here](concepts-identity.md).
+When you leverage [integrated authentication between Azure Active Directory (Azure AD) and AKS](managed-aad.md), you can use Azure AD users, groups, or service principals as subjects in [Kubernetes role-based access control (Kubernetes RBAC)][kubernetes-rbac]. This feature frees you from having to separately manage user identities and credentials for Kubernetes. However, you still have to set up and manage Azure RBAC and Kubernetes RBAC separately.
 
-This document covers a new approach that allows for the unified management and access control across Azure Resources, AKS, and Kubernetes resources.
+This article covers how to use Azure RBAC for Kubernetes Authorization, which allows for the unified management and access control across Azure resources, AKS, and Kubernetes resources. For more information, see [Azure RBAC for Kubernetes Authorization][azure-rbac-kubernetes-rbac].
 
 ## Before you begin
 
-The ability to manage RBAC for Kubernetes resources from Azure gives you the choice to manage RBAC for the cluster resources either using Azure or native Kubernetes mechanisms. When enabled, Azure AD principals will be validated exclusively by Azure RBAC while regular Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC. For more details on authentication and authorization with RBAC on AKS, see [here](concepts-identity.md#azure-rbac-for-kubernetes-authorization).
+* You need the Azure CLI version 2.24.0 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+* You need `kubectl`, with a minimum version of [1.18.3](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1183).
+* You need managed Azure AD integration enabled on your cluster before you can add Azure RBAC for Kubernetes authorization. If you need to enable managed Azure AD integration, see [Use Azure AD in AKS](managed-aad.md).
+* If you have CRDs and are making custom role definitions, the only way to cover CRDs today is to use `Microsoft.ContainerService/managedClusters/*/read`. For the remaining objects, you can use the specific API groups, such as `Microsoft.ContainerService/apps/deployments/read`.
+* New role assignments can take up to five minutes to propagate and be updated by the authorization server.
+* This article requires that the Azure AD tenant configured for authentication is same as the tenant for the subscription that holds your AKS cluster.
 
-### Prerequisites
+## Create a new AKS cluster with managed Azure AD integration and Azure RBAC for Kubernetes Authorization
 
-- Ensure you have the Azure CLI version 2.24.0 or later
-- Ensure you have installed [kubectl v1.18.3+][az-aks-install-cli].
-
-### Limitations
-
-- Requires [Managed Azure AD integration](managed-aad.md).
-- Use [kubectl v1.18.3+][az-aks-install-cli].
-- If you have CRDs and are making custom role definitions, the only way to cover CRDs today is to provide `Microsoft.ContainerService/managedClusters/*/read`. AKS is working on providing more granular permissions for CRDs. For the remaining objects you can use the specific API Groups, for example: `Microsoft.ContainerService/apps/deployments/read`.
-- New role assignments can take up to 5min to propagate and be updated by the authorization server.
-- Requires the Azure AD tenant configured for authentication to be the same as the tenant for the subscription that holds the AKS cluster. 
-
-## Create a new cluster using Azure RBAC and managed Azure AD integration
-
-Create an AKS cluster by using the following CLI commands.
-
-Create an Azure resource group:
+Create an Azure resource group using the [`az group create`][az-group-create] command.
 
 ```azurecli-interactive
-# Create an Azure resource group
 az group create --name myResourceGroup --location westus2
 ```
 
-Create the AKS cluster with managed Azure AD integration and Azure RBAC for Kubernetes Authorization.
+Create an AKS cluster with managed Azure AD integration and Azure RBAC for Kubernetes Authorization using the [`az aks create`][az-aks-create] command.
 
 ```azurecli-interactive
-# Create an AKS-managed Azure AD cluster
-az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac
+az aks create -g myResourceGroup -n myManagedCluster --enable-aad --enable-azure-rbac
 ```
 
-A successful creation of a cluster with Azure AD integration and Azure RBAC for Kubernetes Authorization has the following section in the response body:
+The output will look similar to the following example output:
 
 ```json
 "AADProfile": {
@@ -63,68 +50,62 @@ A successful creation of a cluster with Azure AD integration and Azure RBAC for
     "serverAppId": null,
     "serverAppSecret": null,
     "tenantId": "****-****-****-****-****"
-  }
+}
 ```
 
-## Integrate Azure RBAC into an existing cluster
+## Enable Azure RBAC on an existing AKS cluster
 
-> [!NOTE]
-> To use Azure RBAC for Kubernetes Authorization, Azure Active Directory integration must be enabled on your cluster. For more, see [Azure Active Directory integration][managed-aad].
-
-To add Azure RBAC for Kubernetes Authorization into an existing AKS cluster, use the [az aks update][az-aks-update] command with the flag `enable-azure-rbac`.
+Add Azure RBAC for Kubernetes Authorization into an existing AKS cluster using the [`az aks update`][az-aks-update] command with the `enable-azure-rbac` flag.
 
 ```azurecli-interactive
 az aks update -g myResourceGroup -n myAKSCluster --enable-azure-rbac
 ```
-To remove Azure RBAC for Kubernetes Authorization from an existing AKS cluster, use the [az aks update][az-aks-update] command with the flag `disable-azure-rbac`.
+
+## Disable Azure RBAC for Kubernetes Authorization from an AKS cluster
+
+Remove Azure RBAC for Kubernetes Authorization from an existing AKS cluster using the [`az aks update`][az-aks-update] command with the `disable-azure-rbac` flag.
 
 ```azurecli-interactive
 az aks update -g myResourceGroup -n myAKSCluster --disable-azure-rbac
 ```
 
-## Create role assignments for users to access cluster
-
-AKS provides the following four built-in roles:
+## Create role assignments for users to access the cluster
 
+AKS provides the following built-in roles:
 
 | Role                                | Description  |
 |-------------------------------------|--------------|
-| Azure  Kubernetes Service RBAC Reader  | Allows read-only access to see most objects in a namespace. It doesn't allow viewing roles or role bindings. This role doesn't allow viewing `Secrets`, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation)  |
-| Azure Kubernetes Service RBAC  Writer | Allows read/write access to most objects in a namespace. This role doesn't allow viewing or modifying roles or role bindings. However, this role allows accessing `Secrets` and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. |
+| Azure Kubernetes Service RBAC Reader  | Allows read-only access to see most objects in a namespace. It doesn't allow viewing roles or role bindings. This role doesn't allow viewing `Secrets`, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  |
+| Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace. This role doesn't allow viewing or modifying roles or role bindings. However, this role allows accessing `Secrets` and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. |
 | Azure Kubernetes Service RBAC Admin  | Allows admin access, intended to be granted within a namespace. Allows read/write access to most resources in a namespace (or cluster scope), including the ability to create roles and role bindings within the namespace. This role doesn't allow write access to resource quota or to the namespace itself. |
 | Azure Kubernetes Service RBAC Cluster Admin  | Allows super-user access to perform any action on any resource. It gives full control over every resource in the cluster and in all namespaces. |
 
+Roles assignments scoped to the **entire AKS cluster** can be done either on the Access Control (IAM) blade of the cluster resource on Azure portal or by using the following Azure CLI commands:
 
-Roles assignments scoped to the **entire AKS cluster** can be done either on the Access Control (IAM) blade of the cluster resource on Azure portal or by using Azure CLI commands as shown below:
+Get your AKS resource ID using the [`az aks show`][az-aks-show] command.
 
 ```azurecli
-# Get your AKS Resource ID
-AKS_ID=$(az aks show -g MyResourceGroup -n MyManagedCluster --query id -o tsv)
+AKS_ID=$(az aks show -g myResourceGroup -n myManagedCluster --query id -o tsv)
 ```
 
-```azurecli-interactive
-az role assignment create --role "Azure Kubernetes Service RBAC Admin" --assignee <AAD-ENTITY-ID> --scope $AKS_ID
-```
-
-where `<AAD-ENTITY-ID>` could be a username (for example, user@contoso.com) or even the ClientID of a service principal.
-
-You can also create role assignments scoped to a specific **namespace** within the cluster:
+Create a role assignment using the [`az role assignment create`][az-role-assignment-create] command. `<AAD-ENTITY-ID>` can be a username or the client ID of a service principal.
 
 ```azurecli-interactive
-az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee <AAD-ENTITY-ID> --scope $AKS_ID/namespaces/<namespace-name>
+az role assignment create --role "Azure Kubernetes Service RBAC Admin" --assignee <AAD-ENTITY-ID> --scope $AKS_ID
 ```
 
-Today, role assignments scoped to namespaces need to be configured via Azure CLI.
-
-
-### Create custom roles definitions
-
-Optionally you may choose to create your own role definition and then assign as above.
+> [!NOTE]
+> You can create the *Azure Kubernetes Service RBAC Reader* and *Azure Kubernetes Service RBAC Writer* role assignments scoped to a specific namespace within the cluster using the [`az role assignment create`][az-role-assignment-create] command and setting the scope to the desired namespace.
+>
+> ```azurecli-interactive
+> az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee <AAD-ENTITY-ID> --scope $AKS_ID/namespaces/<namespace-name>
+> ```
 
-Below is an example of a role definition that allows a user to only read deployments and nothing else. You can check the full list of possible actions [here](../role-based-access-control/resource-provider-operations.md#microsoftcontainerservice).
+## Create custom roles definitions
 
+The following example custom role definition allows a user to only read deployments and nothing else. For the full list of possible actions, see [Microsoft.ContainerService operations](../role-based-access-control/resource-provider-operations.md#microsoftcontainerservice).
 
-Copy the below json into a file called `deploy-view.json`.
+To create your own custom role definitions, copy the following file, replacing `<YOUR SUBSCRIPTION ID>` with your own subscription ID, and then save it as `deploy-view.json`.
 
 ```json
 {
@@ -142,47 +123,27 @@ Copy the below json into a file called `deploy-view.json`.
 }
 ```
 
-Replace `<YOUR SUBSCRIPTION ID>` by the ID from your subscription, which you can get by running:
-
-```azurecli-interactive
-az account show --query id -o tsv
-```
-
-Now we can create the role definition by running the below command from the folder where you saved `deploy-view.json`:
+Create the role definition using the [`az role definition create`][az-role-definition-create] command, setting the `--role-definition` to the `deploy-view.json` file you created in the previous step.
 
 ```azurecli-interactive
 az role definition create --role-definition @deploy-view.json 
 ```
 
-Now that you have your role definition, you can assign it to a user or other identity by running:
+Assign the role definition to a user or other identity using the [`az role assignment create`][az-role-assignment-create] command.
 
 ```azurecli-interactive
 az role assignment create --role "AKS Deployment Reader" --assignee <AAD-ENTITY-ID> --scope $AKS_ID
 ```
 
 ## Use Azure RBAC for Kubernetes Authorization with `kubectl`
 
-> [!NOTE]
-> Ensure you have the latest kubectl by running the below command:
->
-> ```azurecli-interactive
-> az aks install-cli
-> ```
->
-> You might need to run it with `sudo` privileges.
-
-Now that you have assigned your desired role and permissions. You can start calling the Kubernetes API, for example, from `kubectl`.
-
-For this purpose, let's first get the cluster's kubeconfig using the below command:
+Make sure you have the [Azure Kubernetes Service Cluster User](../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-user-role) built-in role, and then get the kubeconfig of your AKS cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.
 
 ```azurecli-interactive
-az aks get-credentials -g MyResourceGroup -n MyManagedCluster
+az aks get-credentials -g myResourceGroup -n myManagedCluster
 ```
 
-> [!IMPORTANT]
-> You'll need the [Azure Kubernetes Service Cluster User](../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-user-role) built-in role to perform the step above.
-
-Now, you can use kubectl to, for example,  list the nodes in the cluster. The first time you run it you'll need to sign in, and subsequent commands will use the respective access token.
+Now, you can use `kubectl` manage your cluster. For example, you can list the nodes in your cluster using `kubectl get nodes`. The first time you run it, you'll need to sign in, as shown in the following example:
 
 ```azurecli-interactive
 kubectl get nodes
@@ -194,19 +155,18 @@ aks-nodepool1-93451573-vmss000001   Ready    agent   3h6m   v1.15.11
 aks-nodepool1-93451573-vmss000002   Ready    agent   3h6m   v1.15.11
 ```
 
-
 ## Use Azure RBAC for Kubernetes Authorization with `kubelogin`
 
-To unblock additional scenarios like non-interactive logins, older `kubectl` versions or leveraging SSO across multiple clusters without the need to sign in to new cluster, granted that your token is still valid, AKS created an exec plugin called [`kubelogin`](https://github.com/Azure/kubelogin).
+AKS created the [`kubelogin`](https://github.com/Azure/kubelogin) plugin to help unblock additional scenarios, such as non-interactive logins, older `kubectl` versions, or leveraging SSO across multiple clusters without the need to sign in to a new cluster.
 
-You can use it by running:
+You can use the `kubelogin` plugin by running the following command:
 
 ```bash
 export KUBECONFIG=/path/to/kubeconfig
 kubelogin convert-kubeconfig
-``` 
+```
 
-The first time, you'll have to sign in interactively like with regular kubectl, but afterwards you'll no longer need to, even for new Azure AD clusters (as long as your token is still valid).
+Similar to `kubectl`, you need to log in the first time you run it, as shown in the following example:
 
 ```bash
 kubectl get nodes
@@ -218,38 +178,37 @@ aks-nodepool1-93451573-vmss000001   Ready    agent   3h6m   v1.15.11
 aks-nodepool1-93451573-vmss000002   Ready    agent   3h6m   v1.15.11
 ```
 
-## Clean up
+## Clean up resources
 
-### Clean Role assignment
+### Delete role assignment
 
 ```azurecli-interactive
+# List role assignments
 az role assignment list --scope $AKS_ID --query [].id -o tsv
-```
 
-Copy the ID or IDs from all the assignments you did and then.
-
-```azurecli-interactive
+# Delete role assignments
 az role assignment delete --ids <LIST OF ASSIGNMENT IDS>
 ```
 
-### Clean up role definition
+### Delete role definition
 
 ```azurecli-interactive
 az role definition delete -n "AKS Deployment Reader"
 ```
 
-### Delete cluster and resource group
+### Delete resource group and AKS cluster
 
 ```azurecli-interactive
-az group delete -n MyResourceGroup
+az group delete -n myResourceGroup
 ```
 
 ## Next steps
 
-- Read more about AKS Authentication, Authorization, Kubernetes RBAC, and Azure RBAC [here](concepts-identity.md).
-- Read more about Azure RBAC [here](../role-based-access-control/overview.md).
-- Read more about the all the actions you can use to granularly define custom Azure roles for Kubernetes authorization [here](../role-based-access-control/resource-provider-operations.md#microsoftcontainerservice).
+To learn more about AKS authentication, authorization, Kubernetes RBAC, and Azure RBAC, see:
 
+* [Access and identity options for AKS](/concepts-identity.md)
+* [What is Azure RBAC?](../role-based-access-control/overview.md)
+* [Microsoft.ContainerService operations](../role-based-access-control/resource-provider-operations.md#microsoftcontainerservice)
 
 <!-- LINKS - Internal -->
 [aks-support-policies]: support-policies.md
@@ -259,6 +218,15 @@ az group delete -n MyResourceGroup
 [az-feature-list]: /cli/azure/feature#az_feature_list
 [az-feature-register]: /cli/azure/feature#az_feature_register
 [az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
 [az-provider-register]: /cli/azure/provider#az_provider_register
+[az-group-create]: /cli/azure/group#az_group_create
 [az-aks-update]: /cli/azure/aks#az_aks_update
 [managed-aad]: ./managed-aad.md
+[install-azure-cli]: /cli/azure/install-azure-cli
+[az-role-definition-create]: /cli/azure/role/definition#az_role_definition_create
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get-credentials
+[kubernetes-rbac]: /concepts-identity#azure-rbac-for-kubernetes-authorization
+[azure-rbac-kubernetes-rbac]: /concepts-identity#azure-rbac-for-kubernetes-authorization
