Kubeadmin removal from ARO v4.x

GSIMON 61 Reputation points
2021-01-07T14:06:15.837+00:00

Hi there,

I would like to ask your help to understand the documentation of the ARO v4.x, where explicitly described how to remove kubeadmin. There is security reason behind it clearly, but to do that raises another question:
Is there any Microsoft recommendation for another local user created and granted cluster admin role, or Microsoft suggests to use only the MS Active Directory only to authenticate users on the ARO service? But if only AAD is the only user management, what about if AAD goes down for any reason? so I loose the chance to log in into the cluster? Or will the Openshift cache the users from the Active Directory? I did not find any information about it.

Azure Red Hat OpenShift
Azure Red Hat OpenShift
An Azure service that provides a flexible, self-service deployment of fully managed OpenShift clusters.
87 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,454 questions
{count} votes

Accepted answer
  1. prmanhas-MSFT 17,906 Reputation points Microsoft Employee
    2021-02-02T05:35:31.387+00:00

    @GSIMON Apologies for the delay in response since I missed on notification on this response and was not able to reach out to you earlier.

    I had discussion internally and below is the response:

    Firstly, "the documentation of the ARO v4.x, where explicitly described how to remove kubeadmin." is not an MS doc, it is an openshift doc: https://docs.openshift.com/container-platform/4.6/authentication/remove-kubeadmin.html#removing-kubeadmin_removing-kubeadmin

    Secondly, a regular user being given cluster-admin permissions are simply as it happens to be on Kubernetes. There's no additional recommendation on that front. ReferenceHowever, if he is removing kubeadmin user you:

    • must have configured at least one identity provider.
    • must have added the cluster-admin role to a user.
    • must be logged in as an administrator.

    Reference: https://docs.openshift.com/container-platform/4.6/authentication/remove-kubeadmin.html#removing-kubeadmin_removing-kubeadmin

    You can review Openshift docs for Openshift guidelines:
    https://docs.openshift.com/aro/3/admin_guide/index.html
    https://docs.openshift.com/container-platform/4.6/authentication/understanding-authentication.html#rbac-users_understanding-authentication

    Here is what Microsoft recommends:

    When an Azure Red Hat OpenShift 4 cluster is created, a temporary administrative user is created. Connect to your cluster, add users and groups and configure the appropriate permissions for both.

    Reference: https://learn.microsoft.com/en-us/azure/openshift/migration#authentication

    Now if you want to use AAD then,SLA for AAD: https://azure.microsoft.com/en-us/support/legal/sla/active-directory/v1_0/

    Procedure for AAD integration with ARO:
    https://learn.microsoft.com/en-us/azure/openshift/configure-azure-ad-cli
    https://learn.microsoft.com/en-us/azure/openshift/configure-azure-ad-ui

    Hope it helps!!!

    Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.


2 additional answers

Sort by: Most helpful
  1. prmanhas-MSFT 17,906 Reputation points Microsoft Employee
    2021-01-08T06:18:37.223+00:00

    @GSIMON Apologies for the delay in response and all the inconvenience caused because of the issue.

    For improved security and management, Azure Red Hat OpenShift lets you integrate with Azure Active Directory (Azure AD) and use Kubernetes role-based access control (Kubernetes RBAC). You can also monitor the health of your cluster and resources. So basically you can grant access to user based upon your requirement. For example if you give a Reader role to a user on cluster then that particular user will be able to just read the data and not make any changes.

    Similarly if you give contributor role to a user then they will be able to make read and write data as well but that in turn is limited as well.

    This way you do have a complete control over your cluster and since the entrusted users have access to the cluster you can monitor their activity or any changes to AKS cluster in portal itself.

    You can find more info here

    You can indeed configure Identity Provider as well from where user can be redirected to authenticate.

    More information here.

    Hope it helps!!!

    Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

    1 person found this answer helpful.

  2. GSIMON 61 Reputation points
    2021-02-09T09:00:36.787+00:00

    Sorry for delay. We agreed to remove the kube-admin as our security requirement, and we are going to create a local cluster-admin on ARO with a hard password.
    Thank you for taking care of this question.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.