search

sassoftware / viya4-iac-azure

This project contains Terraform configuration files to provision infrastructure components required to deploy SAS Viya platform products on Microsoft Azure Cloud.
Apache License 2.0
72 stars 88 forks source link

feat: (IAC-600) Add support for Microsoft Entra authentication with Kubernetes RBAC #381

Closed riragh closed 4 months ago

riragh commented 4 months ago

Changes:

This PR adds support for Microsoft Entra authentication with Kubernetes RBAC. For more details on Microsoft Entra authentication with Kubernetes RBAC see Azure documentation here.

With this new feature user will have two options to configure Authentication and Authorization in an AKS cluster:

  1. Local Accounts with Kubernetes RBAC. -- Current default
  2. Microsoft Entra authentication with Kubernetes RBAC.

Tests:

Verified following scenarios:

Scenario Task Cadence kubernetes_version Notes
1 create_static_kubeconfig = true, rbac_aad_enabled = true, rbac_aad_admin_group_object_ids = ["****"] fast:2020 1.28 Authentication and Authorization is set to Microsoft Entra authentication with Kubernetes RBAC
2 create_static_kubeconfig = false, rbac_aad_enabled = true, rbac_aad_admin_group_object_ids = ["*****"] fast:2020 1.28 Authentication and Authorization is set to Microsoft Entra authentication with Kubernetes RBAC
3 create_static_kubeconfig = true, rbac_aad_enabled = false, rbac_aad_admin_group_object_ids = ["*****"] fast:2020 1.28 Authentication and Authorization is set to Local Accounts with Kubernetes RBAC
4 create_static_kubeconfig = false, rbac_aad_enabled = false, rbac_aad_admin_group_object_ids = ["**"] fast:2020 1.28 Authentication and Authorization is set to Local Accounts with Kubernetes RBAC
5 OOTB, all defaults fast:2020 1.28 No changes, Authentication and Authorization is set to Local Accounts with Kubernetes RBAC
6 create_static_kubeconfig = false, rbac_aad_enabled = true, rbac_aad_admin_group_object_ids = null or not specified fast:2020 1.28 Authentication and Authorization is set to Microsoft Entra authentication with Kubernetes RBAC
thpang commented 4 months ago

What/how is this done in AWS, GCP, OSS, or is this a one-off for Azure? Just because we can does not always mean we should. Again, looking for the driving force on just this very specific Azure request.

riragh commented 4 months ago

What/how is this done in AWS, GCP, OSS, or is this a one-off for Azure? Just because we can does not always mean we should. Again, looking for the driving force on just this very specific Azure request.

CIS requested this feature via internal feature request ticket which was scoped and prioritized only for Azure. We have made them aware of the parity we follow across cloud but as there is no immediate requirement for AWS/GCP we don't have any work there yet.

Carus11 commented 4 months ago

This is useful in other field deployments, and is one modification we need to make on forks from this project. Including it in the project would mean better alignment with best practices, and less deviations from this project a customer would need to maintain manually themselves.