#azure (2020-07)

azure

Archive: https://archive.sweetops.com/azure/

2020-07-31

Padarn avatar
Padarn

Hi guys, an AKS credentials question: I’m reading through https://github.com/Azure/AKS/issues/397, but cannot make heads nor tails of how this is supposed to work

az aks get-credentials should return unique credentials for each user instead of returning shared credentials · Issue #397 · Azure/AKS

For General Availability of AKS, will az aks get-credentials enforce kubectl to connect with credentials unique to each AAD user logged in via az login instead of returning shared credentials that …

Padarn avatar
Padarn

I have an AKS cluster, and it seems I can get credentials with and without --admin

Padarn avatar
Padarn

but I do not understand what is allowing that, now how to disallow that for others

Padarn avatar
Padarn

the final comment on the github issue says

--admin is controlled by Azure RBAC role (azure-kubernetes-service-cluster-admin-role). It basically ignores AAD and uses client certificates.

but --admin fetches the kubeconfig for this role…?

Padarn avatar
Padarn

further: The user role seems to have full access to the cluster too

Craig Dunford avatar
Craig Dunford

This issue will likely be of interest to you: https://github.com/MicrosoftDocs/azure-docs/issues/10754

Limiting who can assume Admin · Issue #10754 · MicrosoftDocs/azure-docs

What is the method that Microsoft is recommending, of limiting who can log into the cluster with the “—admin” flag? If my organization eventually rolls this out to more groups with access to Azure …

Craig Dunford avatar
Craig Dunford
Concepts - Access and identity in Azure Kubernetes Services (AKS) - Azure Kubernetes Service

Learn about access and identity in Azure Kubernetes Service (AKS), including Azure Active Directory integration, Kubernetes role-based access control (RBAC), and roles and bindings.

Padarn avatar
Padarn

a few lines in a github comment make this easier to understand than all of the azure docs

Padarn avatar
Padarn

thanks

Craig Dunford avatar
Craig Dunford

np

Padarn avatar
Padarn

first link cleared up my uncertainly effectively

2020-07-27

Padarn avatar
Padarn

Hi guys - I wish to make a AKS cluster using terraform, but provide the service principle credentials via a aws key vault. However I am also making they key vault at the same time.. so I have a bit of a chicken and egg situation

Padarn avatar
Padarn

any advice on how to resolve?

Craig Dunford avatar
Craig Dunford

The AKS service principal’s credentials, or the credentials you are using to authenticate azurerm?

Padarn avatar
Padarn

the service principle in this case (we will use a managed identity to apply the terraform itself, but that I resigned to making manually)

Craig Dunford avatar
Craig Dunford

Are you using terraform to create the service principal?

Padarn avatar
Padarn

yes, planned to

Craig Dunford avatar
Craig Dunford
Azure Active Directory: azuread_service_principal - Terraform by HashiCorp

Manages a Service Principal associated with an Application within Azure Active Directory.

Craig Dunford avatar
Craig Dunford

You already have the password in aws vault?

Padarn avatar
Padarn

no, that is the current issue - I want to make the SP, and have it added to the Key Vault

Padarn avatar
Padarn

(just trying to avoid as much manual manipulation as possible)

Craig Dunford avatar
Craig Dunford

I don’t have too much advice I guess; not familiar with AWS vault. The SP password can be specified in the following resource: https://www.terraform.io/docs/providers/azuread/r/service_principal_password.html

Azure Active Directory: azuread_service_principal_password - Terraform by HashiCorp

Manages a Password associated with a Service Principal within Azure Active Directory.

Padarn avatar
Padarn

sorry keyvault (Azure not AWS) but thank you

Craig Dunford avatar
Craig Dunford

ah

Padarn avatar
Padarn

but it seems like the best way may be to manually add the password to key vault and then import it as data

Craig Dunford avatar
Craig Dunford

terraform can figure out the dependencies; you can create a keyvault, then a https://www.terraform.io/docs/providers/azurerm/r/key_vault_secret.html to store your secret in the vault and subsequently use that as the password for the service principal.

the problem here, is your password also ends up in the tf state

Padarn avatar
Padarn

yeah that is not ideal

Padarn avatar
Padarn

I wonder if its possible to just use a MI with AKS now, happen to know of any good resources for Azure Tf modules?

Craig Dunford avatar
Craig Dunford

I think AKS still requires a SP last I checked

Craig Dunford avatar
Craig Dunford

one other possible middle ground solution to your issue is to use an external data source which interacts with the keyvault via azure cli

Padarn avatar
Padarn

yeah thats a possibility

Padarn avatar
Padarn

I think though if it comes to that its probably better to accept a small amount of manual management over a new tech at the early stagge

Pierre-Yves avatar
Pierre-Yves

You have two option: -1 sync your AKS Key vault with an Azure key vault. Creating an Azure Key Vault is pretty straight forward then you can request it whenever it is needed with data "azurerm_key_vault and data "azurerm_key_vault_secret

-2 add to your terraform backend a provider for aws with aws credential ( that you need to give as a variable for example ) then calling

data "vault_aws_access_credentials

will use your aws provider credential to fetch the data and allow you to retrieve credentials (nb I am only azure , and not aws )

Padarn avatar
Padarn

yeah that makes sense, the second option seems clean

Padarn avatar
Padarn

plus keyvault seems confusing I can’t understand how the UI and networking security is meant to work yet

Pierre-Yves avatar
Pierre-Yves

there is a default subnet NSG security that allows resources to request azure services

Padarn avatar
Padarn

NSG?

Pierre-Yves avatar
Pierre-Yves

Network security groups.

also on Azure Vault, you need to explicitelly allow a user or application to request it in the “Access Policies” tab or in terraform in resource ”azurerm_key_vault” with an access_policy block

Padarn avatar
Padarn

got it, thanks

Padarn avatar
Padarn

actually I’ve already set up user access, but blocking out internet traffic has stoped us being able to manage keys in the portal (or cli I assume): it makes sense, just figuring out best way around that

Pierre-Yves avatar
Pierre-Yves

to be more precise but it’s out of scope of your question about NSG and Azure services, they can be explicitly allowed or denied using Service tags https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview

Azure service tags overview

Learn about service tags. Service tags help minimize the complexity of security rule creation.

Padarn avatar
Padarn

I think I’m going to have to take some training courses to understand this properly

Padarn avatar
Padarn

thank you

Pierre-Yves avatar
Pierre-Yves

I’ll help as I can ;)

:--1:1

2020-07-26

    keyboard_arrow_up