Guard with Azure


#1

Hi,

Goal: install guard on Azure.

Do you have an guard installation on azure example ?

I am following guard installation process.
My problem is with the Initialize PKI step.

In the given example guard init server --ips=10.96.10.96
can you please provide yaml sample to create the predefined Service ClusterIP.

Also:
After running the command guard get installer --auth-providers=azure installer.yaml i get the following error:
[client secret must be non-empty]

What is client secret ?


#2

there is a official guide here about how to setup for azure. You can follow that


#3

Platform: Azure.

Problem:
After finishing the tutorial i get the following message:

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code xxxxxxx to authenticate.
Error from server (Forbidden): pods is forbidden: User “https://sts.windows.net/xxxxxx/#xxxxx” cannot list pods in the namespace “default”

Seems the cache save the status.
Questions:

  1. How i clean the cache so i will able to apply request again ?
  2. How i give permissions to list the pods or any other command ?

Thank you.


#4

You can use rbac to set permission for user or group. For example lets say, you successfully setup guard for your Azure organization. your organization has teams teamA and teamB. for example you want to give read access permission of your cluster to your team teamA. then rbac role would be:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: cluster-view-role
subjects:
- kind: Group
  name: teamA
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

you can also give permission to individual user.


#5

Thank you for your respond.
When i configure User in the clusterRoleBinding: it works.
My goal is to make it work with Group.
Do i need to set the Group name in specific way ?

The example given too Azure:


Is for User.

subjects:


#6

sorry for being late.

Please note that, since 0.2.1 release, Guard server will return AAD group uid as groups in UserInfo . To use AAD group names, set the --azure.use-group-uid=false flag to Guard server binary. Please note that multiple AAD groups can use the same name. Consider the potential securtiy implications of using group names in UserInfo .

For group it should work. Group Name should be the same as they appear in azure.