K
Q

How to link Azure Active Directory "Service Principal" with AKS Kubernetes "Service Account"

12/28/2018

Currently I am trying to deploy applications inside an AKS kubernetes cluster on Azure.

For the deployment pipeline I would like to use a service account which is managed through azure active directory (e.g. service principal).

I already have created a service principal through the Azure CLI.

What is the right way to make this service principal known as a service account inside the AKS cluster?

The reason I need a need a service account and not a user account and is because I want to use it from my devops pipeline without requiring a login, but still be able to manage it through active directory.

Currently I'm using the default service account to deploy my containers inside a namespace, this works but the account is only known inside the namespace and not centrally managed.

# This binding enables a cluster account to deploy on kubernetes
# You can confirm this with
# kubectl --as="${USER}" auth can-i create deployments
# See also: https://github.com/honestbee/drone-kubernetes/issues/8
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: default-deploy
rules:
- apiGroups: ["extensions"]
  resources: ["deployments"]
  verbs: ["get","list","patch","update", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-default-deploy
  namespace: default
roleRef:
  kind: Role
  name: default-deploy
  apiGroup: rbac.authorization.k8s.io
subjects:
# working, the default account configured with deploy permissions
- name: default
  kind: ServiceAccount
  namespace: default
# works, if the service principal is configured as a User
- name: "111111-0000-1111-0000-********"
  apiGroup: rbac.authorization.k8s.io
  kind: User
# this does not work, the service principal is configured as a Service Account
- name: "111111-0000-1111-0000-********"
  apiGroup: rbac.authorization.k8s.io
  kind: ServiceAccount

I would expect to be able to configure the service account also through RBAC, however I get the following error:

The RoleBinding "role-default-deploy" is invalid: 
subjects[1].apiGroup: Unsupported value: 
"rbac.authorization.k8s.io": supported values: ""
-- Sudesh Jethoe
azure
azure-active-directory
azure-kubernetes

Similar Questions

Let's encrypt, Kubernetes and Traefik on GKE
kubernetes not creating the ELB for ingress-nginx controller
Kubernetes cluster autoscaling using Kubeadm
Kubernetes metrics-server: Error from server (ServiceUnavailable): the server is currently unable to handle the request
Generating Java heap dump in Kubernetes container
How to assign an hostname to an Azure Application Gateway with AGIC

0 Answers