This topic tells you how to integrate your Azure Active Directory (commonly known as AD).
Perform the following procedures to integrate Azure AD with a new or existing AKS without Pinniped.
Download and install the Azure CLI.
To set up a platform operator:
-
Navigate to the Azure Active Directory Overview page.
-
Select Groups under the Manage side menu.
-
Identify or create an admin group for the AKS cluster.
-
Retrieve the object ID of the admin group.
-
Take one of the following actions.
-
Create an AKS Cluster with Azure AD enabled by running:
az group create --name RESOURCE-GROUP --location LOCATION az aks create -g RESOURCE-GROUP -n MANAGED-CLUSTER --enable-aad --aad-admin-group-object-ids OBJECT-ID
Where:
RESOURCE-GROUP
is your resource groupLOCATION
is your locationMANAGED-CLUSTER
is your managed clusterOBJECT-ID
is the object ID
-
Enable Azure AD integration on the existing cluster by running:
az aks update -g RESOURCE-GROUP -n MANAGED-CLUSTER --enable-aad --aad-admin-group-object-ids OBJECT-ID
Where:
RESOURCE-GROUP
is your resource groupMANAGED-CLUSTER
is your managed clusterOBJECT-ID
is the object ID
-
Add Platform Operators to the admin group.
-
Log in to the AKS cluster by running:
az aks get-credentials --resource-group RESOURCE-GROUP --name MANAGED-CLUSTER --admin
Where:
RESOURCE-GROUP
is your resource groupMANAGED-CLUSTER
is your managed cluster
To set up a Tanzu Application Platform default role group:
-
Navigate to the Azure Active Directory Overview page.
-
Select Groups under the Manage side menu.
-
Identify or create a list of groups in the Azure AD for each of the Tanzu Application Platform default roles (
app-operator
,app-viewer
, andapp-editor
). -
Retrieve the corresponding object IDs for each group.
-
Add users to the groups accordingly.
-
For each object ID retrieved earlier, use the Tanzu CLI RBAC plug-in to bind the
object id
group to a role by running:tanzu rbac binding add -g OBJECT-ID -r TAP-ROLE -n NAMESPACE
Where:
OBJECT-ID
is the object IDTAP-ROLE
is the Tanzu Application Platform roleNAMESPACE
is the namespace
To set up kubeconfig:
-
Set up the
kubeconfig
to point to the AKS cluster by running:az aks get-credentials --resource-group RESOURCE-GROUP --name MANAGED-CLUSTER
Where:
RESOURCE-GROUP
is your resource groupMANAGED-CLUSTER
is your managed cluster
-
Run any kubectl command to trigger a browser login. For example:
kubectl get pods
Perform the following procedures to set up Azure AD with Pinniped.
Install Pinniped supervisor and concierge on the cluster without setting up the OIDCIdentityProvider and secret.
To set up the Azure AD app:
-
Navigate to the Azure Active Directory Overview page.
-
Select App registrations under the Manage side menu.
-
Select New Registration.
-
Enter the name of the application. For example,
gke-pinniped-supervisor-app
. -
Under Supported account types, select Accounts in this organisational directory only (VMware, Inc. only - Single tenant).
-
Under Redirect URI, select Web as the platform.
-
Enter the call URI to the supervisor. For example,
https://pinniped-supervisor.example.com/callback
. -
Select Register to create the app.
-
If not already redirected, navigate to the app settings page.
-
Select Token configuration under the Manage menu.
-
Select Add groups claim > All groups (includes distribution lists but not groups assigned to the application).
-
Select Add to create the group claim.
-
Select the app name in the breadcrumb navigation to return to the app settings page.
-
Select the Endpoints tab and record the value in the OpenID Connect metadata document field.
-
Return to the app settings page.
-
Record the Application (client) ID.
-
Select Certificates & secrets under the Manage menu.
-
Create a new client secret and record this value.
-
Add the following YAML to
oidc_identity_provider.yaml
.--- apiVersion: idp.supervisor.pinniped.dev/v1alpha1 kind: OIDCIdentityProvider metadata: namespace: pinniped-supervisor name: azure-ad spec: # Specify the upstream issuer URL. issuer: ISSUER-URL authorizationConfig: additionalScopes: ["openid", "email", "profile"] allowPasswordGrant: false # Specify how claims are mapped to Kubernetes identities. claims: username: preferred_username groups: groups # Specify the name of the Kubernetes Secret that contains your # application's client credentials (created below). client: secretName: azure-ad-client-credentials --- apiVersion: v1 kind: Secret metadata: namespace: pinniped-supervisor name: azure-ad-client-credentials type: secrets.pinniped.dev/oidc-client stringData: clientID: "AZURE-AD-CLIENT-ID" clientSecret: "AZURE-AD-CLIENT-SECRET"
Where:
ISSUER-URL
is the OpenID Connect metadata document URL you recorded earlier, but without the trailing/.well-known/openid-configuration
AZURE-AD-CLIENT-ID
is the Azure AD client ID you recorded earlierAZURE-AD-CLIENT-SECRET
is the Azure AD client secret you recorded earlier
-
Apply your changes from the kubectl CLI by running:
kubectl apply workspace/pinniped-supervisor/oidc_identity_provider.yaml
To set up a Tanzu Application Platform default role group:
-
Navigate to the Azure Active Directory Overview page.
-
Select Groups under the Manage side menu.
-
Identify or create a list of groups in the Azure AD for each of the Tanzu Application Platform default roles (
app-operator
,app-viewer
, andapp-editor
). -
Retrieve the corresponding object IDs for each group.
-
Add users to the groups accordingly.
-
For each object ID retrieved earlier, use kubectl to bind the
object id
group to a role by running:kubectl apply -n DEVELOPER_NAMESPACE -f - << EOF --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: TAP-ROLE namespace: $DEVELOPER_NAMSPACE roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: TAP-ROLE subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: OBJECT-ID EOF --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: TAP-ROLE-cluster-access roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: TAP-ROLE subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: OBJECT-ID
Where:
OBJECT-ID
is the object ID.TAP-ROLE
is the Tanzu Application Platform role.DEVELOPER-NAMESPACE
is the namespace for scoping the group.
For more information about binding users or groups to roles, see Bind a user or group to a default role.
Follow these steps to set up kubeconfig:
-
Set up
kubeconfig
using the Pinniped CLI by running:pinniped get kubeconfig --kubeconfig-context YOUR-KUBECONFIG-CONTEXT > /tmp/concierge-kubeconfig
Where
YOUR-KUBECONFIG-CONTEXT
is your your kubeconfig context. -
Run any kubectl command to trigger a browser login. For example:
export KUBECONFIG="/tmp/concierge-kubeconfig" kubectl get pods