Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: (IAC-600) Add support for Microsoft Entra authentication with Kubernetes RBAC #381

Merged
merged 1 commit into from
May 9, 2024

Conversation

riragh
Copy link
Member

@riragh riragh commented May 1, 2024

Changes:

This PR adds support for Microsoft Entra authentication with Kubernetes RBAC. For more details on Microsoft Entra authentication with Kubernetes RBAC see Azure documentation here.

With this new feature user will have two options to configure Authentication and Authorization in an AKS cluster:

  1. Local Accounts with Kubernetes RBAC. -- Current default
  2. Microsoft Entra authentication with Kubernetes RBAC.

Tests:

Verified following scenarios:

Scenario Task Cadence kubernetes_version Notes
1 create_static_kubeconfig = true, rbac_aad_enabled = true, rbac_aad_admin_group_object_ids = ["****"] fast:2020 1.28 Authentication and Authorization is set to Microsoft Entra authentication with Kubernetes RBAC
2 create_static_kubeconfig = false, rbac_aad_enabled = true, rbac_aad_admin_group_object_ids = ["*****"] fast:2020 1.28 Authentication and Authorization is set to Microsoft Entra authentication with Kubernetes RBAC
3 create_static_kubeconfig = true, rbac_aad_enabled = false, rbac_aad_admin_group_object_ids = ["*****"] fast:2020 1.28 Authentication and Authorization is set to Local Accounts with Kubernetes RBAC
4 create_static_kubeconfig = false, rbac_aad_enabled = false, rbac_aad_admin_group_object_ids = ["******"] fast:2020 1.28 Authentication and Authorization is set to Local Accounts with Kubernetes RBAC
5 OOTB, all defaults fast:2020 1.28 No changes, Authentication and Authorization is set to Local Accounts with Kubernetes RBAC
6 create_static_kubeconfig = false, rbac_aad_enabled = true, rbac_aad_admin_group_object_ids = null or not specified fast:2020 1.28 Authentication and Authorization is set to Microsoft Entra authentication with Kubernetes RBAC

@riragh riragh added the enhancement New feature or request label May 1, 2024
@riragh riragh self-assigned this May 1, 2024
@riragh riragh marked this pull request as ready for review May 8, 2024 13:45
@riragh riragh requested review from dhoucgitter, sayeun, thpang and jarpat May 8, 2024 13:52
@thpang
Copy link
Member

thpang commented May 8, 2024

What/how is this done in AWS, GCP, OSS, or is this a one-off for Azure? Just because we can does not always mean we should. Again, looking for the driving force on just this very specific Azure request.

@riragh
Copy link
Member Author

riragh commented May 8, 2024

What/how is this done in AWS, GCP, OSS, or is this a one-off for Azure? Just because we can does not always mean we should. Again, looking for the driving force on just this very specific Azure request.

CIS requested this feature via internal feature request ticket which was scoped and prioritized only for Azure. We have made them aware of the parity we follow across cloud but as there is no immediate requirement for AWS/GCP we don't have any work there yet.

@Carus11
Copy link

Carus11 commented May 8, 2024

This is useful in other field deployments, and is one modification we need to make on forks from this project. Including it in the project would mean better alignment with best practices, and less deviations from this project a customer would need to maintain manually themselves.

@riragh riragh merged commit 0b9e0a8 into staging May 9, 2024
3 checks passed
@riragh riragh deleted the azure_ad branch May 9, 2024 15:03
@jarpat jarpat mentioned this pull request May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants