Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?

Question

I have a service principal which is an Owner on the subscription that I am using to create an Azure Kubernetes Service cluster as part of a script. I want my cluster to use:

Kubernetes RBAC --> enable
AKS-managed AAD --> enable
Local accounts  --> disabled

I would like the same Service Principal creating the cluster to be able to create k8s roles and role bindings however in order to do this the Service Principal seems to need a cluster-admin role binding.

When creating the cluster there is the option of adding an array of "admin group object ids" which seems to create cluster-admin role bindings for AD Groups. However the SPN cannot be a part of a Group.

Is there anyway around this process?

Answer 1

I tried to reproduce the same in my environment and got the results as below:

To assign Azure Kubernetes Service RBAC Cluster Admin to service principal you can make use of below cli command:

az role assignment create --assignee <appId> --scope <resourceScope> --role Azure Kubernetes Service RBAC Cluster Admin

When I run this command kubernetes roles are added successfully like below

Alternatively, In azure AD create a group add service principal as a member like below:

Now, Add the group in cluster configuration like below

You can use the below the cli command to create the aks cluster using service principal like below:

az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --service-principal <appId> \
    --client-secret <password>

Reference:

Use a service principal with Azure Kubernetes Services (AKS) - Azure Kubernetes Service | Microsoft Learn