- Notifications
You must be signed in to change notification settings - Fork3
Kubernetes Operator for automated registration of Azure AD applications
License
nais/azurerator
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Azurerator is a Kubernetes cluster operator for automated registration and lifecycle management of Azure ActiveDirectory applications.
This specific implementation is tailored towards managing Azure AD applications within a single tenant for use in WebAPIs, i.e. both application and user authentication and authorization.
ForNAIS end-users
Seehttps://doc.nais.io/security/auth/azure-ad
The operator introduces a new KindAzureAdApplication (shortnameazureapp), and acts upon changes to resources ofthis kind.
See the specinliberator fordetails.
An example resource is available inconfig/samples/azureadapplication.yaml.
Seelifecycle for details.
make install
You will need the credentials for an Azure AD application with the following Application API permissions for Microsoft Graph:
Application.ReadWrite.AllorApplication.ReadWrite.Owned- If you use
Application.ReadWrite.Owned, Azurerator will only be able to manage applications and service principals that it has created.It will no longer be able to process these resources if removed as an owner, unless theApplication.ReadWrite.Allpermission is granted.
- If you use
DelegatedPermissionGrant.ReadWrite.AllGroupMember.Read.All(optional, only needed for the groups-assignment feature)Policy.Read.All(optional, only needed for the claims-mapping policies feature)CustomSecAttributeAssignment.ReadWrite.All(optional, only needed for the custom security attributes feature)
Finally, in order to ensure that Azurerator may pre-approve delegated API permissions for the managed applications,you will need to find and configure theazure.permissiongrant-resource-id configuration flag.
This ID is theObject ID of an Azure AD Enterprise Application that is unique to each tenant.
You will find this under either the name ofGraphAggregatorService orMicrosoft Graph.Look for an Enterprise Application that has anApplication ID equal to00000003-0000-0000-c000-000000000000.
Azurerator can be configured using either command-line flags or equivalent environment variables (i.e.-,. ->_and uppercase), withAZURERATOR_ as prefix. E.g.:
azure.auth.client-id -> AZURERATOR_AZURE_AUTH_CLIENT_IDThe following flags are available:
--azure.auth.client-id string Client IDfor Azure AD authentication--azure.auth.client-secret string Client secretfor Azure AD authentication--azure.delay.between-modifications duration Delay between modification operations to the Graph API. (default 3s)--azure.features.app-role-assignment-required.enabled Enable'appRoleAssignmentRequired'for service principals.--azure.features.claims-mapping-policies.id string Claims-mapping policy IDfor custom claims mapping--azure.features.claims-mapping-policies.enabled Assign custom claims-mapping policies to a service principal--azure.features.custom-security-attributes.enabled Set custom security attributes on service principals (attributeset of'Applications':'ManagedBy':'NAIS') --azure.features.cleanup-orphans.enabled Enable cleanup of orphaned resources.--azure.features.group-membership-claim.default string Default group membership claimfor Azure AD apps. Only affects new registrations. (default"ApplicationGroup")--azure.features.groups-assignment.all-users-group-id string Group ID that contains all usersin the tenant. Assigned to all application by default unless overridden by userin the custom resource.--azure.features.groups-assignment.enabled Assign groups to applications--azure.pagination.max-pages int Max number of pages to fetch when fetching paginated resources from the Graph API. (default 1000)--azure.permissiongrant-resource-id string Object IDforGraph API permissions grant ('GraphAggregatorService' or'Microsoft Graph'in Enterprise Applications under'Microsoft Applications')--azure.tenant.id string Tenant IDfor Azure AD--azure.tenant.name string Alias/name of tenantfor Azure AD--cluster-name string The clusterin which this application should run--controller.context-timeout duration Context timeoutforthe reconciliation loopin the controller. (default 5m0s)--kafka.brokers strings Comma-separated list of Kafka brokers, HOST:PORT. (default [localhost:9092])--kafka.enabled Togglefor enabling Kafka to allow synchronization of events between Azurerator instances.--kafka.max-processing-time duration Maximum processingtime of Kafka messages. (default 10s)--kafka.retry-interval duration Retry intervalfor Kafka operations. (default 5s)--kafka.tls.ca-path string Path to Kafka TLS CA certificate.--kafka.tls.certificate-path string Path to Kafka TLS certificate.--kafka.tls.enabled Use TLSfor connecting to Kafka.--kafka.tls.private-key-path string Path to Kafka TLS private key.--kafka.topic string Name of the Kafka topic that Azurerator should use. (default"azurerator-events")--leader-election.enabled Leader election toggle.--leader-election.namespace string Leader election namespace.--metrics-address string The address the metric endpoint binds to. (default":8080")--secret-rotation.cleanup Clean up unused credentialsin Azure AD after rotation. (default true)--secret-rotation.max-age duration Maximum duration since last rotation before triggering rotation on next reconciliation, regardless of secret name being changed. (default 2880h0m0s)--validations.tenant.required If true, will only process resources that have a tenant definedin the spec
At minimum, the following configuration should be provided:
azure.auth.client-idazure.auth.client-secretazure.permissiongrant-resource-idazure.tenant.idazure.tenant.namecluster-name
Equivalently, one can specify these properties using JSON, TOML, YAML, HCL, envfile and Java properties config files.Azurerator looks for a file namedazurerator.<ext> in the directories [.,/etc/azurerator/].
Example configuration in YAML:
# ./azurerator.yamlazure:auth:client-id:""client-secret:""tenant:id:""name:"local.test"# e.g. your domainpermissiongrant-resource-id:""cluster-name:minikube
After configuration, assuming you have a Kubernetes cluster running locally (e.g.usingminikube):
ulimit -n 4096# for controller-genmake run# starts the controller# in another terminal, apply an AzureAdApplication resourcemake sample
Kubebuilder is required for running the tests. Install withmake kubebuilder.
The image is signed "keylessly" (is that a word?) usingSigstore cosign.To verify its authenticity run
cosign verify \--certificate-identity "https://github.com/nais/azurerator/.github/workflows/main.yml@refs/heads/master" \--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ghcr.io/nais/azurerator@sha256:<shasum>The images are also attested with SBOMs in theCycloneDX format.You can verify these by running
cosign verify-attestation --type cyclonedx \--certificate-identity "https://github.com/nais/azurerator/.github/workflows/main.yml@refs/heads/master" \--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ghcr.io/nais/azurerator@sha256:<shasum>About
Kubernetes Operator for automated registration of Azure AD applications