Howto enable RBAC on your existing ACS deployed Kubernetes cluster

1 minute read

On a my post about AAD integration with Kubernetes 1.8 I explained how to deploy a Kubernetes 1.8 cluster with RBAC enabled using ACS-Engine. However after that post I got a couple of questions about how to enable RBAC on a cluster deployed using Azure Container Service.

Currently in ACS the Kubernetes version is 1.7.7.

$ kubectl get nodes -o wide
NAME                    STATUS    AGE       VERSION   EXTERNAL-IP   OS-IMAGE                      KERNEL-VERSION
k8s-agent-537d3417-0    Ready     1d        v1.7.7    <none>        Debian GNU/Linux 8 (jessie)   4.4.0-98-generic
k8s-agent-537d3417-1    Ready     1d        v1.7.7    <none>        Debian GNU/Linux 8 (jessie)   4.4.0-98-generic
k8s-agent-537d3417-2    Ready     1d        v1.7.7    <none>        Debian GNU/Linux 8 (jessie)   4.4.0-98-generic
k8s-master-537d3417-0   Ready     1d        v1.7.7    <none>        Debian GNU/Linux 8 (jessie)   4.4.0-98-generic

The process to enable RBAC on this cluster is pretty straigh forward.

  1. SSH into the master node(s).
  2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml and locate the command property. Should be something like this.
command:
    - "/hyperkube"
    - "apiserver"
    - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
    - "--address=0.0.0.0"
    - "--allow-privileged"
    - "--insecure-port=8080"
    - "--secure-port=443"
    - "--cloud-provider=azure"
    - "--cloud-config=/etc/kubernetes/azure.json"
    - "--service-cluster-ip-range=10.0.0.0/16"
    - "--etcd-servers=http://127.0.0.1:2379"
    - "--etcd-quorum-read=true"
    - "--advertise-address=10.240.255.15"
    - "--tls-cert-file=/etc/kubernetes/certs/apiserver.crt"
    - "--tls-private-key-file=/etc/kubernetes/certs/apiserver.key"
    - "--client-ca-file=/etc/kubernetes/certs/ca.crt"
    - "--service-account-key-file=/etc/kubernetes/certs/apiserver.key"
    - "--storage-backend=etcd2"
    - "--v=4"
  1. Add --authorization-mode=RBAC.
  2. Reboot the nodes.

And we are done. After the reboot follow the same instructions detailed in my post about RBAC with AAD on Kubernetes 1.8 to integrate it with your Azure Active Directory Domain. Also remember that ACS deploys Kuberneetes 1.7 and RBAC was still experimental on that version and may behave different from 1.8.

–Juanma.

Comments