|
| 1 | +--- |
| 2 | +title: Use Azure AD v2.0 in Azure Kubernetes Service |
| 3 | +description: Learn how to use Azure AD v2.0 in Azure Kubernetes Service (AKS) |
| 4 | +services: container-service |
| 5 | +manager: gwallace |
| 6 | +ms.topic: article |
| 7 | +ms.date: 03/24/2020 |
| 8 | +--- |
| 9 | + |
| 10 | +# Integrate Azure AD v2.0 in Azure Kubernetes Service (Preview) |
| 11 | + |
| 12 | +> [!Note] |
| 13 | +> Existing Azure AD v1.0 clusters are not affected by the new Azure AD v2.0 feature for Azure Kubernetes Service (AKS). |
| 14 | +
|
| 15 | +Azure AD v2.0 is designed to simplify the Azure AD v1.0 experience, where users were required to create a client app, a server app, and required the Azure AD tenant to grant Directory Read permissions. |
| 16 | +In the new version, the AKS resource provider manages the client and server apps for you. Instead of using a persistent "Application Permission," the AKS resource provider uses a "Delegated Permission" via an on-behalf-of flow to get an access token to Graph API. Azure AD v2.0 enabled clusters use a limited scoped Graph API privilege (GroupMembers.Read.All) to query group membership only when the overage indicator is present (when there are more than 250 group claims). |
| 17 | + |
| 18 | +## Limitations |
| 19 | + |
| 20 | +* You can't currently upgrade an existing Azure AD v1.0 cluster to Azure AD v2.0. |
| 21 | + |
| 22 | +> [!IMPORTANT] |
| 23 | +> AKS preview features are available on a self-service, opt-in basis. Previews are provided "as-is" and "as available," and are excluded from the Service Level Agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features are not meant for production use. For more information, see the following support articles: |
| 24 | +> |
| 25 | +> - [AKS Support Policies](support-policies.md) |
| 26 | +> - [Azure Support FAQ](faq.md) |
| 27 | +
|
| 28 | +## Before you begin |
| 29 | + |
| 30 | +You must have the following resources installed: |
| 31 | + |
| 32 | +- The Azure CLI, version 2.2.0 or later |
| 33 | +- The aks-preview 0.4.38 extension |
| 34 | +- Kubectl with a minimum version of [1.18 beta](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#client-binaries) |
| 35 | + |
| 36 | +To install/update the aks-preview extension or later, use the following Azure CLI commands: |
| 37 | + |
| 38 | +```azurecli |
| 39 | +az extension add --name aks-preview |
| 40 | +az extension list |
| 41 | +``` |
| 42 | + |
| 43 | +```azurecli |
| 44 | +az extension update --name aks-preview |
| 45 | +az extension list |
| 46 | +``` |
| 47 | + |
| 48 | +To install kubectl, use the following |
| 49 | +```azurecli |
| 50 | +curl -LO "https://storage.googleapis.com/kubernetes-release/release/v1.18.0-beta.2/bin/darwin/amd64/kubectl" |
| 51 | +chmod +x ./kubectl |
| 52 | +sudo mv ./kubectl /usr/local/bin/kubectl |
| 53 | +kubectl version --client |
| 54 | +``` |
| 55 | + |
| 56 | +Use [these instructions](https://kubernetes.io/docs/tasks/tools/install-kubectl/) for other operating systems. |
| 57 | + |
| 58 | +> [!CAUTION] |
| 59 | +> After you register a feature on a subscription, you can't currently unregister that feature. When you enable some preview features, defaults might be used for all AKS clusters created afterward in the subscription. Don't enable preview features on production subscriptions. Instead, use a separate subscription to test preview features and gather feedback. |
| 60 | +
|
| 61 | +```azurecli-interactive |
| 62 | +az feature register --name AAD-V2 --namespace Microsoft.ContainerService |
| 63 | +``` |
| 64 | + |
| 65 | +It might take several minutes for the status to show as **Registered**. You can check the registration status by using the [az feature list](https://docs.microsoft.com/cli/azure/feature?view=azure-cli-latest#az-feature-list) command: |
| 66 | + |
| 67 | +```azurecli-interactive |
| 68 | +az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AAD-V2')].{Name:name,State:properties.state}" |
| 69 | +``` |
| 70 | + |
| 71 | +When the status shows as registered, refresh the registration of the `Microsoft.ContainerService` resource provider by using the [az provider register](https://docs.microsoft.com/cli/azure/provider?view=azure-cli-latest#az-provider-register) command: |
| 72 | + |
| 73 | +```azurecli-interactive |
| 74 | +az provider register --namespace Microsoft.ContainerService |
| 75 | +``` |
| 76 | + |
| 77 | +## Create an AKS cluster with Azure AD v1.0 enabled |
| 78 | + |
| 79 | +You can now create an AKS cluster by using the following CLI commands. |
| 80 | + |
| 81 | +First, create an Azure resource group: |
| 82 | + |
| 83 | +```azurecli-interactive |
| 84 | +# Create an Azure resource group |
| 85 | +az group create --name myResourceGroup --location centralus |
| 86 | +``` |
| 87 | + |
| 88 | +Then, create an AKS cluster: |
| 89 | + |
| 90 | +```azurecli-interactive |
| 91 | +az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad |
| 92 | +``` |
| 93 | +The above command creates a three node AKS cluster, but the user, who created the cluster, by default, is not a member of a group that has access to this cluster. This user needs to create an Azure AD group, add themselves as a member of the group, and then update the cluster as shown below. Follow instructions [here](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) |
| 94 | + |
| 95 | +Once you've created a group and added yourself (and others) as a member, you can update the cluster with the Azure AD group using the following command |
| 96 | + |
| 97 | +```azurecli-interactive |
| 98 | +az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad [--aad-admin-group-object-ids <id1,id2>] [--aad-tenant-id <id>] |
| 99 | +``` |
| 100 | +Alternatively, if you first create a group and add members, you can enable the Azure AD group at create time using the following command, |
| 101 | + |
| 102 | +```azurecli-interactive |
| 103 | +az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad [--aad-admin-group-object-ids <id1,id2>] [--aad-tenant-id <id>] |
| 104 | +``` |
| 105 | + |
| 106 | +A successful creation of an Azure AD v2 cluster has the following section in the response body |
| 107 | +``` |
| 108 | +"Azure ADProfile": { |
| 109 | + "adminGroupObjectIds": null, |
| 110 | + "clientAppId": null, |
| 111 | + "managed": true, |
| 112 | + "serverAppId": null, |
| 113 | + "serverAppSecret": null, |
| 114 | + "tenantId": "72f9****-****-****-****-****d011db47" |
| 115 | + } |
| 116 | +``` |
| 117 | + |
| 118 | +The cluster is created within a few minutes. |
| 119 | + |
| 120 | +## Accessing an Azure AD v1.0 enabled cluster |
| 121 | +To get the admin credentials to access the cluster: |
| 122 | + |
| 123 | +```azurecli-interactive |
| 124 | +az aks get-credentials --resource-group myResourceGroup --name MyManagedCluster --admin |
| 125 | +``` |
| 126 | +Now use the kubectl get nodes command to view nodes in the cluster: |
| 127 | + |
| 128 | +```azurecli-interactive |
| 129 | +kubectl get nodes |
| 130 | +
|
| 131 | +NAME STATUS ROLES AGE VERSION |
| 132 | +aks-nodepool1-15306047-0 Ready agent 102m v1.15.10 |
| 133 | +aks-nodepool1-15306047-1 Ready agent 102m v1.15.10 |
| 134 | +aks-nodepool1-15306047-2 Ready agent 102m v1.15.10 |
| 135 | +``` |
| 136 | + |
| 137 | +To get the user credentials to access the cluster: |
| 138 | + |
| 139 | +```azurecli-interactive |
| 140 | +kubectl get nodes |
| 141 | +``` |
| 142 | + |
| 143 | +To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BYMK7UXVD to authenticate. You receive an error: |
| 144 | + |
| 145 | +**error: You must be logged in to the server (Unauthorized)** |
| 146 | + |
| 147 | +The user above gets an error because the user is not a part of a group that has access to the cluster. |
| 148 | + |
| 149 | + |
| 150 | + |
| 151 | + |
0 commit comments