This topic tells you how to integrate your Azure Active Directory (commonly known as AD).
Perform the following procedures to integrate Azure AD with a new or existing AKS without Pinniped.
Download and install the Azure CLI.
To set up a platform operator:
Navigate to the Azure Active Directory Overview page.
Select Groups under the Manage side menu.
Identify or create an admin group for the AKS cluster.
Retrieve the object ID of the admin group.
Take one of the following actions.
Create an AKS Cluster with Azure AD enabled by running:
az group create --name RESOURCE-GROUP --location LOCATION
az aks create -g RESOURCE-GROUP -n MANAGED-CLUSTER --enable-aad --aad-admin-group-object-ids OBJECT-ID
Where:
RESOURCE-GROUP
is your resource groupLOCATION
is your locationMANAGED-CLUSTER
is your managed clusterOBJECT-ID
is the object IDEnable Azure AD integration on the existing cluster by running:
az aks update -g RESOURCE-GROUP -n MANAGED-CLUSTER --enable-aad --aad-admin-group-object-ids OBJECT-ID
Where:
RESOURCE-GROUP
is your resource groupMANAGED-CLUSTER
is your managed clusterOBJECT-ID
is the object IDAdd Platform Operators to the admin group.
Log in to the AKS cluster by running:
az aks get-credentials --resource-group RESOURCE-GROUP --name MANAGED-CLUSTER --admin
Where:
RESOURCE-GROUP
is your resource groupMANAGED-CLUSTER
is your managed clusterTo set up a Tanzu Application Platform default role group:
Navigate to the Azure Active Directory Overview page.
Select Groups under the Manage side menu.
Identify or create a list of groups in the Azure AD for each of the Tanzu Application Platform default roles (app-operator
, app-viewer
, and app-editor
).
Retrieve the corresponding object IDs for each group.
Add users to the groups accordingly.
For each object ID retrieved earlier, use the Tanzu CLI RBAC plug-in to bind the object id
group to a role by running:
tanzu rbac binding add -g OBJECT-ID -r TAP-ROLE -n NAMESPACE
Where:
OBJECT-ID
is the object IDTAP-ROLE
is the Tanzu Application Platform roleNAMESPACE
is the namespaceTo set up kubeconfig:
Set up the kubeconfig
to point to the AKS cluster by running:
az aks get-credentials --resource-group RESOURCE-GROUP --name MANAGED-CLUSTER
Where:
RESOURCE-GROUP
is your resource groupMANAGED-CLUSTER
is your managed clusterRun any kubectl command to trigger a browser login. For example:
kubectl get pods
Perform the following procedures to set up Azure AD with Pinniped.
Install Pinniped supervisor and concierge on the cluster without setting up the OIDCIdentityProvider and secret.
To set up the Azure AD app:
Navigate to the Azure Active Directory Overview page.
Select App registrations under the Manage side menu.
Select New Registration.
Enter the name of the application. For example, gke-pinniped-supervisor-app
.
Under Supported account types, select Accounts in this organisational directory only (VMware, Inc. only - Single tenant).
Under Redirect URI, select Web as the platform.
Enter the call URI to the supervisor. For example, https://pinniped-supervisor.example.com/callback
.
Select Register to create the app.
If not already redirected, navigate to the app settings page.
Select Token configuration under the Manage menu.
Select Add groups claim > All groups (includes distribution lists but not groups assigned to the application).
Select Add to create the group claim.
Select the app name in the breadcrumb navigation to return to the app settings page.
Select the Endpoints tab and record the value in the OpenID Connect metadata document field.
Return to the app settings page.
Record the Application (client) ID.
Select Certificates & secrets under the Manage menu.
Create a new client secret and record this value.
Add the following YAML to oidc_identity_provider.yaml
.
---
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
namespace: pinniped-supervisor
name: azure-ad
spec:
# Specify the upstream issuer URL.
issuer: ISSUER-URL
authorizationConfig:
additionalScopes: ["openid", "email", "profile"]
allowPasswordGrant: false
# Specify how claims are mapped to Kubernetes identities.
claims:
username: preferred_username
groups: groups
# Specify the name of the Kubernetes Secret that contains your
# application's client credentials (created below).
client:
secretName: azure-ad-client-credentials
---
apiVersion: v1
kind: Secret
metadata:
namespace: pinniped-supervisor
name: azure-ad-client-credentials
type: secrets.pinniped.dev/oidc-client
stringData:
clientID: "AZURE-AD-CLIENT-ID"
clientSecret: "AZURE-AD-CLIENT-SECRET"
Where:
ISSUER-URL
is the OpenID Connect metadata document URL you recorded earlier, but without the trailing /.well-known/openid-configuration
AZURE-AD-CLIENT-ID
is the Azure AD client ID you recorded earlierAZURE-AD-CLIENT-SECRET
is the Azure AD client secret you recorded earlierApply your changes from the kubectl CLI by running:
kubectl apply workspace/pinniped-supervisor/oidc_identity_provider.yaml
To set up a Tanzu Application Platform default role group:
Navigate to the Azure Active Directory Overview page.
Select Groups under the Manage side menu.
Identify or create a list of groups in the Azure AD for each of the Tanzu Application Platform default roles (app-operator
, app-viewer
, and app-editor
).
Retrieve the corresponding object IDs for each group.
Add users to the groups accordingly.
For each object ID retrieved earlier, use kubectl to bind the object id
group to a role by running:
kubectl apply -n DEVELOPER_NAMESPACE -f - << EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: TAP-ROLE
namespace: $DEVELOPER_NAMSPACE
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: TAP-ROLE
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: OBJECT-ID
EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: TAP-ROLE-cluster-access
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: TAP-ROLE
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: OBJECT-ID
Where:
OBJECT-ID
is the object ID.TAP-ROLE
is the Tanzu Application Platform role.DEVELOPER-NAMESPACE
is the namespace for scoping the group.For more information about binding users or groups to roles, see Bind a user or group to a default role.
Follow these steps to set up kubeconfig:
Set up kubeconfig
using the Pinniped CLI by running:
pinniped get kubeconfig --kubeconfig-context YOUR-KUBECONFIG-CONTEXT > /tmp/concierge-kubeconfig
Where YOUR-KUBECONFIG-CONTEXT
is your your kubeconfig context.
Run any kubectl command to trigger a browser login. For example:
export KUBECONFIG="/tmp/concierge-kubeconfig"
kubectl get pods