You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/trusted-access-feature.md
+11-6Lines changed: 11 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,22 +4,27 @@ description: Learn how to use the Trusted Access feature to enable Azure resourc
4
4
author: schaffererin
5
5
services: container-service
6
6
ms.topic: article
7
-
ms.date: 02/06/2023
7
+
ms.date: 02/22/2023
8
8
ms.author: schaffererin
9
9
---
10
10
11
11
# Enable Azure resources to access Azure Kubernetes Service (AKS) clusters using Trusted Access (PREVIEW)
12
12
13
-
Many Azure services that integrate with Azure Kubernetes Service (AKS) need access to the Kubernetes API server. In order to avoid granting these services admin access or having to keep your AKS clusters public for network access, you can use the AKS Trusted Access feature. This feature allows services to privately connect to AKS and Kubernetes via the Azure backend without requiring private endpoint. Instead of relying on identities with [Microsoft Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) permissions, this feature can use your system-assigned managed identity to authenticate with the managed services and applications you want to use on top of AKS.
13
+
Many Azure services that integrate with Azure Kubernetes Service (AKS) need access to the Kubernetes API server. In order to avoid granting these services admin access or having to keep your AKS clusters public for network access, you can use the AKS Trusted Access feature.
14
+
15
+
This feature allows services to securely connect to AKS and Kubernetes via the Azure backend without requiring private endpoint. Instead of relying on identities with [Microsoft Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) permissions, this feature can use your system-assigned managed identity to authenticate with the managed services and applications you want to use on top of AKS.
14
16
15
17
Trusted Access addresses the following scenarios:
16
18
17
-
* Azure services may be unable to access the Kubernetes API server when the authorized IP range is enabled, or in private clusters unless you implement a complex private endpoint access model.
19
+
* Azure services may be unable to access the Kubernetes API server when the authorized IP range is enabled, or in private clusters unless you implement a private endpoint access model.
18
20
19
21
* Providing admin access to the Kubernetes API to an Azure service doesn't follow the least privileged access best practices and could lead to privilege escalations or risks of credential leakage.
20
22
21
23
* For example, you may have to implement high-privileged service-to-service permissions, which aren't ideal during audit reviews.
22
24
25
+
> [!NOTE]
26
+
> Using the Trusted Access feature on Azure RBAC-enabled clusters isn't supported.
27
+
23
28
This article shows you how to enable secure access from your Azure services to your Kubernetes API server in AKS using Trusted Access.
24
29
25
30
[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
@@ -72,13 +77,13 @@ az provider register --namespace Microsoft.ContainerService
72
77
73
78
## Select the required Trusted Access Roles
74
79
75
-
The Roles you select depend on the different Azure services. These services help create Roles and RoleBindings, which build the connection from the partner service to AKS.
80
+
The Roles you select depend on the different Azure services. These services help create Roles and RoleBindings, which build the connection from the Azure service to AKS.
76
81
77
82
Azure Machine Learning (AzureML) now supports access to AKS clusters with the Trusted Access feature. If you want to preview the Trusted Access feature in AzureML, see [AzureML access to AKS clusters with special configurations](../machine-learning/azureml-aks-ta-support.md).
78
83
79
84
## Create a Trusted Access RoleBinding
80
85
81
-
After confirming which Role to use, use the Azure CLI to create a Trusted Access RoleBinding in an AKS cluster. The RoleBinding associates your selected Role with the partner service.
86
+
After confirming which Role to use, use the Azure CLI to create a Trusted Access RoleBinding in an AKS cluster. The RoleBinding associates your selected Role with the Azure service.
82
87
83
88
```azurecli
84
89
# Create a Trusted Access RoleBinding in an AKS cluster
@@ -141,7 +146,7 @@ az aks trustedaccess rolebinding list --resource-group <AKS resource group> --cl
141
146
## Delete the Trusted Access RoleBinding for a cluster
142
147
143
148
> [!WARNING]
144
-
> Deleting the existing Trusted Access RoleBinding will cause disconnection from AKS cluster to partner service.
149
+
> Deleting the existing Trusted Access RoleBinding will cause disconnection from AKS cluster to the Azure service.
145
150
146
151
Use the Azure CLI to delete an existing Trusted Access RoleBinding.
0 commit comments