orchestra-to-aks.md

steps.md

Deploy AKS

Deploy AKS

I enabled HTTP Host Access for simpler deployment

Deploy Nginx Ingress

https://kubernetes.github.io/ingress-nginx/deploy/#azure

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml

Create AzureAD Application

1. Create new App Registration
2. Under Certificates and Secrets create a new Client Secret, use it for ``OIDC_CLIENT_SECRET`
3. Under API Permissions add User.Read and email
4. For Redirect URIs use https://host/auth/oidc where host is the value of OU_HOST
5. update the manifest:

.
.
.
"groupMembershipClaims": "SecurityGroup",
.
.
.
"optionalClaims": {
		"idToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": [
					"netbios_name_and_sam_account_name",
					"emit_as_roles"
				]
			},
			{
				"name": "given_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "family_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "email",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"accessToken": [],
		"saml2Token": []
	},

Deploy Dashboard 2.0

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta2/aio/deploy/recommended.yaml

Deploy Orchestra

Make sure to get the endpoints from the application. For some reason I can't get email out into the id_token Added the following to configmaps/input.props

K8S_DASHBOARD_NAMESPACE=kubernetes-dashboard
K8S_IMPERSONATION=true
SUB_CLAIM=preferred_username
EMAIL_CLAIM=sub

Create RBAC rules

Deploy so orchestra to do imperonation:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: impersonator
rules:
- apiGroups: [""]
  resources: ["users", "groups", "serviceaccounts"]
  verbs: ["impersonate"]
- apiGroups: ["authentication.k8s.io"]
  resources: ["userextras/scopes"]
  verbs: ["impersonate"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: impersonator
  namespace: openunison
subjects:
- kind: ServiceAccount
  name: openunison-orchestra
  namespace: openunison
roleRef:
  kind: ClusterRole
  name: impersonator
  apiGroup: rbac.authorization.k8s.io

Update to 1.0.18

Change image in the orchestra OpenUnison CR in the openunison namespace to docker.io/mlbiam/openunison-k8s-login-oidc:1.0.18

User Authorization

Az By User Name

The sub attribute on the user's User object in the openunison namespace is their user id in k8s. For instance for:

apiVersion: openunison.tremolo.io/v1
kind: User
metadata:
  creationTimestamp: "2019-07-28T23:14:09Z"
  generation: 1
  name: mmosleyx-64-xmarcboorshteintremolosecuri.onmicrosoft.com
  namespace: openunison
  resourceVersion: "5470"
  selfLink: /apis/openunison.tremolo.io/v1/namespaces/openunison/users/mmosleyx-64-xmarcboorshteintremolosecuri.onmicrosoft.com
  uid: 6762c3e9-b18d-11e9-8629-7676c559c084
spec:
  email: uIeZKXikmS0lM9Dev1DmynVHVt8wa2A9fDwN7bVHeF4
  first_name: Matt
  groups:
  - 212702a6-f1e0-4b7e-aa12-f66a610b119c
  - b7377031-d4fb-4372-b6a6-9c239d1c6e4d
  last_name: Mosley
  sub: [email protected]
  uid: mmosleyx-64-xmarcboorshteintremolosecuri.onmicrosoft.com

The sub attribute is [email protected] so use [email protected] in RoleBinding and ClusterRoleBiding objects

Group based AZ

AzureAD puts the user's groups in the id_token for Orchestra using the Object Id of the group in AzureAD. Use this value for RBAC Bindings.