{"id":438,"date":"2020-01-03T04:22:43","date_gmt":"2020-01-03T03:22:43","guid":{"rendered":"https:\/\/aymen-segni.com\/?p=438"},"modified":"2020-01-03T04:36:11","modified_gmt":"2020-01-03T03:36:11","slug":"secure-aks-at-the-deployment-part-2","status":"publish","type":"post","link":"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/","title":{"rendered":"Secure AKS at the deployment &#8211; part 2 &#8211;"},"content":{"rendered":"\n<h2 class=\"has-vivid-cyan-blue-color has-text-color wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Welcome to the Azure AKS Kubernetes deployment security Workshop.<br>We won&#8217;t spend too much time on the presentation of AKS, the service that has been very popular in recent months.<br>In brief, AKS is Microsoft\u2019s new managed container orchestration service. It is gradually replacing Azure Container service and focuses only on the Cloud Native Computing foundation (CNCF) Kubernetes orchestration engine.<br> In the last lab: <span style=\"text-decoration: underline;\"><a rel=\"noreferrer noopener\" aria-label=\"Create a Kubernetes cluster with Azure AKS using Terraform (opens in a new tab)\" href=\"https:\/\/aymen-segni.com\/index.php\/2019\/12\/24\/create-a-kubernetes-cluster-with-azure-aks-using-terraform\/\" target=\"_blank\">Create a Kubernetes cluster with Azure AKS using Terraform<\/a>,<\/span> we have discussed the Azure Kubernetes Service (AKS) basics, the Infrastructure as Code (IaC) mechanism with a focus on Hashicorp Terraform and how to deploy a Kubernetes cluster with AKS using Terraform.<br>With this lab, you\u2019ll go through tasks that will help you &nbsp;master the basic and more advanced topics required to secure Azure AKS Kubernetes cluster at the deployment level based on the following mechanisms and technologies:<\/p>\n\n\n\n<ol class=\"ul-black wp-block-list\"><li>\u2705Azure AD <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/fundamentals\/active-directory-whatis\" target=\"_blank\"><span style=\"text-decoration: underline;\">(AAD)<\/span><\/a><\/li><li>\u2705AKS with Role-Based Access Control<a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac\/\"><span style=\"text-decoration: underline;\"> (<\/span><\/a><span style=\"text-decoration: underline;\"><a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"RB (opens in a new tab)\">RB<\/a><\/span><a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac\/\"><span style=\"text-decoration: underline;\">AC)<\/span><\/a><\/li><li>\u2705Container Network Interface <a href=\"https:\/\/github.com\/containernetworking\/cni\"><span style=\"text-decoration: underline;\">(<\/span><\/a><span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/containernetworking\/cni\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"CNI (opens in a new tab)\">CNI<\/a><\/span><a href=\"https:\/\/github.com\/containernetworking\/cni\"><span style=\"text-decoration: underline;\">)<\/span><\/a><\/li><li>\u2705Azure <span style=\"text-decoration: underline;\"><a rel=\"noreferrer noopener\" aria-label=\"Network policy (opens in a new tab)\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/aks\/use-network-policies\" target=\"_blank\">Network policy<\/a><\/span><\/li><li>\u2705Azure<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/key-vault\/basic-concepts\"><span style=\"text-decoration: underline;\"> <\/span><\/a><span style=\"text-decoration: underline;\"><a rel=\"noreferrer noopener\" aria-label=\"Key Vault (opens in a new tab)\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/key-vault\/basic-concepts\" target=\"_blank\">Key Vault<\/a><\/span><\/li><\/ol>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p>This article is part of a series:<\/p>\n\n\n\n<ul class=\"ul-black wp-block-list\"><li><a rel=\"noreferrer noopener\" aria-label=\"Secure AKS at the deployment: part 1 (opens in a new tab)\" href=\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-1\/\" target=\"_blank\">Secure AKS at the deployment: part 1<\/a><\/li><li>Secure AKS at the deployment: part 2<\/li><li><a href=\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-3\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Secure AKS at the deployment: part 3 (opens in a new tab)\"><span style=\"text-decoration: underline;\">Secure AKS at the deployment: part 3<\/span><\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"has-vivid-cyan-blue-color has-text-color wp-block-heading\">Assumptions and Prerequisites<\/h2>\n\n\n\n<ul class=\"ul-black wp-block-list\"><li>You have basic knowledge of&nbsp;<a rel=\"noreferrer noopener\" aria-label=\"Azure (opens in a new tab)\" href=\"https:\/\/azure.microsoft.com\/en-us\/\" target=\"_blank\">Azure<\/a><\/li><li>Have basic knowledge of&nbsp;<a rel=\"noreferrer noopener\" aria-label=\"Kubernetes (opens in a new tab)\" href=\"https:\/\/kubernetes.io\/\" target=\"_blank\">Kubernetes<\/a><\/li><li>You have&nbsp;<a rel=\"noreferrer noopener\" aria-label=\"Terraform&nbsp; (opens in a new tab)\" href=\"https:\/\/learn.hashicorp.com\/terraform\/getting-started\/install.html\" target=\"_blank\"><span style=\"text-decoration: underline;\">Terraform&nbsp;<\/span><\/a>installed in your local machine<\/li><li>You have basic experience with Terraform <\/li><li>Azure subscription: Sign up for an Azure account, if you don\u2019t own one already. You will receive USD200 in free credits.<\/li><\/ul>\n\n\n\n<h2 class=\"has-vivid-cyan-blue-color has-text-color wp-block-heading\">Implement  RBAC to secure AKS at the deployment <\/h2>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/kubernetes-security-1024x519.png\" alt=\"Secure AKS at the deployment\" class=\"wp-image-453\" width=\"551\" height=\"278\" srcset=\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/kubernetes-security.png 1024w, https:\/\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/kubernetes-security.png 300w, https:\/\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/kubernetes-security.png 768w, https:\/\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/kubernetes-security.png 1076w\" sizes=\"auto, (max-width: 551px) 100vw, 551px\" \/><\/figure><\/div>\n\n\n\n<p>In this part, we will continue our exploration of the use of Azure Active Directory (AAD) . We will detail the deployment steps with Terraform and Azure provider and Kubernetes in order to implement RBAC authentication mechanism to with Azure AKS Kubernetes.<\/p>\n\n\n\n<p class=\"has-text-color has-background has-very-dark-gray-color has-pale-cyan-blue-background-color\">\u2139\ufe0f <strong>Note<\/strong><br>This implementation is based on the last Infra as Code lab: <span style=\"text-decoration: underline;\"><a href=\"https:\/\/aymen-segni.com\/index.php\/2019\/12\/24\/create-a-kubernetes-cluster-with-azure-aks-using-terraform\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Create a Kubernetes cluster with Azure AKS using Terraform (opens in a new tab)\">Create a Kubernetes cluster with Azure AKS using Terraform<\/a><\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1- Deployment of an AKS cluster integrated with Azure AD<\/h3>\n\n\n\n<p>Now that the prerequisites are done at the Azure AD level, we can deploy the AKS cluster using a Terraform config. For the AKS resource, we use azurerm_kubernetes_cluster.<\/p>\n\n\n\n<p>The first step is to obtain the source code from <a rel=\"noreferrer noopener\" aria-label=\"Github (opens in a new tab)\" href=\"http:\/\/github.com\/AymenSegni\/\" target=\"_blank\"><span style=\"text-decoration: underline;\">Github<\/span><\/a>. Likewise, you can simply update your own Terraform implementation as I will explain in the following steps.<\/p>\n\n\n\n<p>This will clone the sample repository and make it the current directory:<\/p>\n\n\n\n<p class=\"has-text-color has-background has-very-light-gray-color has-very-dark-gray-background-color\">|&#8211;\u2af8&nbsp;git clone https:\/\/github.com\/AymenSegni\/azure-aks-k8s-tf.git<br>|&#8211;\u2af8&nbsp;cd azure-aks-k8s-tf<\/p>\n\n\n\n<p>Next, we need to update (use your preferred editor) the aks-cluster main resources to integrate AAD in the deployment.<\/p>\n\n\n\n<p class=\"has-text-color has-background has-very-light-gray-color has-very-dark-gray-background-color\">|&#8211;\u2af8&nbsp; vi src\/modules\/aks-cluster\/main.tf<\/p>\n\n\n\n<p>Inside, update the Terraform code as shown below, then save and close.<\/p>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\n<style>.gist table { margin-bottom: 0; }<\/style><div style=\"tab-size: 8\" id=\"gist100268101\" class=\"gist\">\n    <div class=\"gist-file\" translate=\"no\" data-color-mode=\"light\" data-light-theme=\"light\">\n      <div class=\"gist-data\">\n        \n<div class=\"js-gist-file-update-container js-task-list-container\">\n      <div id=\"file-aad-aks-cluster-tf\" class=\"file my-2\">\n    \n    <div itemprop=\"text\"\n      class=\"Box-body p-0 blob-wrapper data type-hcl  \"\n      style=\"overflow: auto\" tabindex=\"0\" role=\"region\"\n      aria-label=\"aad-aks-cluster.tf content, created by AymenSegni on 10:43PM on December 27, 2019.\"\n    >\n\n        \n<div class=\"js-check-hidden-unicode js-blob-code-container blob-code-content\">\n\n  <template class=\"js-file-alert-template\">\n  <div data-view-component=\"true\" class=\"flash flash-warn flash-full d-flex flex-items-center\">\n  <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\">\n    <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"><\/path>\n<\/svg>\n    <span>\n      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.\n      <a class=\"Link--inTextBlock\" href=\"https:\/\/github.co\/hiddenchars\" target=\"_blank\">Learn more about bidirectional Unicode characters<\/a>\n    <\/span>\n\n\n  <div data-view-component=\"true\" class=\"flash-action\">        <a href=\"{{ revealButtonHref }}\" data-view-component=\"true\" class=\"btn-sm btn\">    Show hidden characters\n<\/a>\n<\/div>\n<\/div><\/template>\n<template class=\"js-line-alert-template\">\n  <span aria-label=\"This line has hidden Unicode characters\" data-view-component=\"true\" class=\"line-alert tooltipped tooltipped-e\">\n    <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\">\n    <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"><\/path>\n<\/svg>\n<\/span><\/template>\n\n  <table data-hpc class=\"highlight tab-size js-file-line-container\" data-tab-size=\"4\" data-paste-markdown-skip data-tagsearch-path=\"aad-aks-cluster.tf\">\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L1\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"1\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC1\" class=\"blob-code blob-code-inner js-file-line\">resource &quot;azurerm_kubernetes_cluster&quot; &quot;cluster&quot; {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L2\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"2\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC2\" class=\"blob-code blob-code-inner js-file-line\">  name                = var.cluster_name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L3\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"3\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC3\" class=\"blob-code blob-code-inner js-file-line\">  location            = var.location<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L4\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"4\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC4\" class=\"blob-code blob-code-inner js-file-line\">  resource_group_name = var.resource_group_name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L5\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"5\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC5\" class=\"blob-code blob-code-inner js-file-line\">  dns_prefix          = var.dns_prefix<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L6\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"6\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC6\" class=\"blob-code blob-code-inner js-file-line\">  kubernetes_version  = var.kubernetes_version<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L7\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"7\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC7\" class=\"blob-code blob-code-inner js-file-line\">  <\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L8\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"8\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC8\" class=\"blob-code blob-code-inner js-file-line\">  agent_pool_profile {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L9\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"9\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC9\" class=\"blob-code blob-code-inner js-file-line\">    name            = var.agent_pool_name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L10\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"10\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC10\" class=\"blob-code blob-code-inner js-file-line\">    count           = var.node_count<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L11\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"11\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC11\" class=\"blob-code blob-code-inner js-file-line\">    vm_size         = var.vm_size<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L12\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"12\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC12\" class=\"blob-code blob-code-inner js-file-line\">    os_type         = var.os_type<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L13\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"13\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC13\" class=\"blob-code blob-code-inner js-file-line\">    os_disk_size_gb = var.os_disk_size_gb<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L14\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"14\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC14\" class=\"blob-code blob-code-inner js-file-line\">    vnet_subnet_id  = var.vnet_subnet_id<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L15\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"15\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC15\" class=\"blob-code blob-code-inner js-file-line\">    max_pods        = var.max_pods<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L16\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"16\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC16\" class=\"blob-code blob-code-inner js-file-line\">    type            = var.agent_pool_type<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L17\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"17\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC17\" class=\"blob-code blob-code-inner js-file-line\">  }<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L18\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"18\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC18\" class=\"blob-code blob-code-inner js-file-line\">  <\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L19\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"19\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC19\" class=\"blob-code blob-code-inner js-file-line\">  network_profile {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L20\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"20\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC20\" class=\"blob-code blob-code-inner js-file-line\">    network_plugin     = var.network_plugin<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L21\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"21\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC21\" class=\"blob-code blob-code-inner js-file-line\">    network_policy     = &quot;calico&quot;<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L22\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"22\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC22\" class=\"blob-code blob-code-inner js-file-line\">    service_cidr       = var.service_cidr<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L23\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"23\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC23\" class=\"blob-code blob-code-inner js-file-line\">    dns_service_ip     = &quot;10.0.0.10&quot;<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L24\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"24\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC24\" class=\"blob-code blob-code-inner js-file-line\">    docker_bridge_cidr = &quot;172.17.0.1\/16&quot;<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L25\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"25\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC25\" class=\"blob-code blob-code-inner js-file-line\">  }<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L26\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"26\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC26\" class=\"blob-code blob-code-inner js-file-line\">\n<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L27\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"27\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC27\" class=\"blob-code blob-code-inner js-file-line\">  service_principal {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L28\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"28\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC28\" class=\"blob-code blob-code-inner js-file-line\">    client_id     = var.client_id<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L29\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"29\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC29\" class=\"blob-code blob-code-inner js-file-line\">    client_secret = var.client_secret<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L30\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"30\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC30\" class=\"blob-code blob-code-inner js-file-line\">  }<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L31\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"31\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC31\" class=\"blob-code blob-code-inner js-file-line\">  role_based_access_control {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L32\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"32\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC32\" class=\"blob-code blob-code-inner js-file-line\">    enabled           = true<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L33\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"33\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC33\" class=\"blob-code blob-code-inner js-file-line\">\n<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L34\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"34\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC34\" class=\"blob-code blob-code-inner js-file-line\">    azure_active_directory {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L35\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"35\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC35\" class=\"blob-code blob-code-inner js-file-line\">      client_app_id       = var.AADCliAppId<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L36\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"36\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC36\" class=\"blob-code blob-code-inner js-file-line\">      server_app_id       = var.AADServerAppId<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L37\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"37\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC37\" class=\"blob-code blob-code-inner js-file-line\">      server_app_secret   = var.AADServerAppSecret<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L38\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"38\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC38\" class=\"blob-code blob-code-inner js-file-line\">      tenant_id           = var.AADTenantId<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L39\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"39\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC39\" class=\"blob-code blob-code-inner js-file-line\">\n<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L40\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"40\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC40\" class=\"blob-code blob-code-inner js-file-line\">    }<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L41\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"41\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC41\" class=\"blob-code blob-code-inner js-file-line\">\n<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L42\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"42\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC42\" class=\"blob-code blob-code-inner js-file-line\">  }<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L43\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"43\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC43\" class=\"blob-code blob-code-inner js-file-line\">\n<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L44\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"44\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC44\" class=\"blob-code blob-code-inner js-file-line\"> tags = {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L45\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"45\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC45\" class=\"blob-code blob-code-inner js-file-line\">        Environment = &quot;Development&quot;<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L46\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"46\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC46\" class=\"blob-code blob-code-inner js-file-line\">    }<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L47\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"47\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC47\" class=\"blob-code blob-code-inner js-file-line\">\n<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L48\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"48\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC48\" class=\"blob-code blob-code-inner js-file-line\">  lifecycle {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L49\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"49\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC49\" class=\"blob-code blob-code-inner js-file-line\">    prevent_destroy = true<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L50\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"50\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC50\" class=\"blob-code blob-code-inner js-file-line\">  }<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aad-aks-cluster-tf-L51\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"51\"><\/td>\n          <td id=\"file-aad-aks-cluster-tf-LC51\" class=\"blob-code blob-code-inner js-file-line\">}<\/td>\n        <\/tr>\n  <\/table>\n<\/div>\n\n\n    <\/div>\n\n  <\/div>\n\n<\/div>\n\n      <\/div>\n      <div class=\"gist-meta\">\n        <a href=\"https:\/\/gist.github.com\/AymenSegni\/8b0c1ad3d6de36deea6c78ac9683127e\/raw\/98ecd0e3257ca7a27a057e1f2d4f6a183814ccb4\/aad-aks-cluster.tf\" style=\"float:right\" class=\"Link--inTextBlock\">view raw<\/a>\n        <a href=\"https:\/\/gist.github.com\/AymenSegni\/8b0c1ad3d6de36deea6c78ac9683127e#file-aad-aks-cluster-tf\" class=\"Link--inTextBlock\">\n          aad-aks-cluster.tf\n        <\/a>\n        hosted with &#10084; by <a class=\"Link--inTextBlock\" href=\"https:\/\/github.com\">GitHub<\/a>\n      <\/div>\n    <\/div>\n<\/div>\n\n<\/div><\/figure>\n\n\n\n<p>The most important block  for AAD integration is in the <code>role_based_access_control<\/code> block. Obviously, <strong>RBAC<\/strong> must be activated, so the enabled parameter must have <code>the value true<\/code>. Second, we must reference the AAD applications prepared in the previous sections, with the secret for the application server, the app id for the two applications as well as the tenant Azure Active Directory.<\/p>\n\n\n\n<p>Hard coding this information is not a good practice, so we use <strong>Azure Key Vault<\/strong> for the value of these variables when calling the module, as shown below.<br>To properly secure access to the Key Vault, it\u2019s  of course necessary to define an access policy which gives Terraform only read access to the associated application for deployment.<\/p>\n\n\n\n<p>The next stage, so is to update the root cluster deployment when calling the AAD integarted <strong>aks-cluster <\/strong>Terraform module<\/p>\n\n\n\n<p class=\"has-text-color has-background has-very-light-gray-color has-very-dark-gray-background-color\">|&#8211;\u2af8&nbsp; vi src\/deployment\/main.tf<\/p>\n\n\n\n<p>Inside, update the Terraform code as shown below, then save and close.<\/p>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\n<style>.gist table { margin-bottom: 0; }<\/style><div style=\"tab-size: 8\" id=\"gist100278621\" class=\"gist\">\n    <div class=\"gist-file\" translate=\"no\" data-color-mode=\"light\" data-light-theme=\"light\">\n      <div class=\"gist-data\">\n        \n<div class=\"js-gist-file-update-container js-task-list-container\">\n      <div id=\"file-aks-with-aad-main-deployment-tf\" class=\"file my-2\">\n    \n    <div itemprop=\"text\"\n      class=\"Box-body p-0 blob-wrapper data type-hcl  \"\n      style=\"overflow: auto\" tabindex=\"0\" role=\"region\"\n      aria-label=\"aks-with-aad-main-deployment.tf content, created by AymenSegni on 07:01PM on December 28, 2019.\"\n    >\n\n        \n<div class=\"js-check-hidden-unicode js-blob-code-container blob-code-content\">\n\n  <template class=\"js-file-alert-template\">\n  <div data-view-component=\"true\" class=\"flash flash-warn flash-full d-flex flex-items-center\">\n  <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\">\n    <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"><\/path>\n<\/svg>\n    <span>\n      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.\n      <a class=\"Link--inTextBlock\" href=\"https:\/\/github.co\/hiddenchars\" target=\"_blank\">Learn more about bidirectional Unicode characters<\/a>\n    <\/span>\n\n\n  <div data-view-component=\"true\" class=\"flash-action\">        <a href=\"{{ revealButtonHref }}\" data-view-component=\"true\" class=\"btn-sm btn\">    Show hidden characters\n<\/a>\n<\/div>\n<\/div><\/template>\n<template class=\"js-line-alert-template\">\n  <span aria-label=\"This line has hidden Unicode characters\" data-view-component=\"true\" class=\"line-alert tooltipped tooltipped-e\">\n    <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\">\n    <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"><\/path>\n<\/svg>\n<\/span><\/template>\n\n  <table data-hpc class=\"highlight tab-size js-file-line-container\" data-tab-size=\"4\" data-paste-markdown-skip data-tagsearch-path=\"aks-with-aad-main-deployment.tf\">\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L1\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"1\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC1\" class=\"blob-code blob-code-inner js-file-line\"># Cluster Resource Group<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L2\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"2\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC2\" class=\"blob-code blob-code-inner js-file-line\">resource &quot;azurerm_resource_group&quot; &quot;aks&quot; {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L3\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"3\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC3\" class=\"blob-code blob-code-inner js-file-line\">  name     = var.resource_group_name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L4\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"4\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC4\" class=\"blob-code blob-code-inner js-file-line\">  location = var.location<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L5\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"5\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC5\" class=\"blob-code blob-code-inner js-file-line\">}<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L6\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"6\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC6\" class=\"blob-code blob-code-inner js-file-line\">\n<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L7\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"7\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC7\" class=\"blob-code blob-code-inner js-file-line\"># AKS Cluster Network<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L8\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"8\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC8\" class=\"blob-code blob-code-inner js-file-line\">module &quot;aks_network&quot; {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L9\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"9\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC9\" class=\"blob-code blob-code-inner js-file-line\">  source              = &quot;..\/modules\/aks_network&quot;<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L10\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"10\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC10\" class=\"blob-code blob-code-inner js-file-line\">  subnet_name         = var.subnet_name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L11\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"11\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC11\" class=\"blob-code blob-code-inner js-file-line\">  vnet_name           = var.vnet_name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L12\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"12\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC12\" class=\"blob-code blob-code-inner js-file-line\">  resource_group_name = azurerm_resource_group.aks.name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L13\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"13\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC13\" class=\"blob-code blob-code-inner js-file-line\">  subnet_cidr         = var.subnet_cidr<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L14\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"14\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC14\" class=\"blob-code blob-code-inner js-file-line\">  location            = var.location<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L15\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"15\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC15\" class=\"blob-code blob-code-inner js-file-line\">  address_space       = var.address_space<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L16\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"16\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC16\" class=\"blob-code blob-code-inner js-file-line\">}<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L17\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"17\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC17\" class=\"blob-code blob-code-inner js-file-line\">\n<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L18\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"18\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC18\" class=\"blob-code blob-code-inner js-file-line\"># AKS IDs<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L19\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"19\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC19\" class=\"blob-code blob-code-inner js-file-line\">module &quot;aks_identities&quot; {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L20\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"20\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC20\" class=\"blob-code blob-code-inner js-file-line\">  source       = &quot;..\/modules\/aks_identities&quot;<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L21\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"21\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC21\" class=\"blob-code blob-code-inner js-file-line\">  cluster_name = var.cluster_name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L22\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"22\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC22\" class=\"blob-code blob-code-inner js-file-line\">}<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L23\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"23\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC23\" class=\"blob-code blob-code-inner js-file-line\">\n<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L24\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"24\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC24\" class=\"blob-code blob-code-inner js-file-line\"># AKS Log Analytics<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L25\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"25\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC25\" class=\"blob-code blob-code-inner js-file-line\">module &quot;log_analytics&quot; {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L26\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"26\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC26\" class=\"blob-code blob-code-inner js-file-line\">  source                           = &quot;..\/modules\/log_analytics&quot;<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L27\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"27\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC27\" class=\"blob-code blob-code-inner js-file-line\">  resource_group_name              = azurerm_resource_group.aks.name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L28\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"28\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC28\" class=\"blob-code blob-code-inner js-file-line\">  log_analytics_workspace_location = var.log_analytics_workspace_location<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L29\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"29\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC29\" class=\"blob-code blob-code-inner js-file-line\">  log_analytics_workspace_name     = var.log_analytics_workspace_name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L30\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"30\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC30\" class=\"blob-code blob-code-inner js-file-line\">  log_analytics_workspace_sku      = var.log_analytics_workspace_sku<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L31\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"31\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC31\" class=\"blob-code blob-code-inner js-file-line\">}<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L32\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"32\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC32\" class=\"blob-code blob-code-inner js-file-line\">\n<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L33\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"33\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC33\" class=\"blob-code blob-code-inner js-file-line\"># AKS Cluster<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L34\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"34\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC34\" class=\"blob-code blob-code-inner js-file-line\">module &quot;aks_cluster&quot; {<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L35\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"35\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC35\" class=\"blob-code blob-code-inner js-file-line\">  source                   = &quot;..\/modules\/aks-cluster&quot;<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L36\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"36\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC36\" class=\"blob-code blob-code-inner js-file-line\">  cluster_name             = var.cluster_name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L37\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"37\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC37\" class=\"blob-code blob-code-inner js-file-line\">  location                 = var.location<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L38\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"38\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC38\" class=\"blob-code blob-code-inner js-file-line\">  os_type                  = var.os_type<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L39\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"39\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC39\" class=\"blob-code blob-code-inner js-file-line\">  dns_prefix               = var.dns_prefix<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L40\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"40\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC40\" class=\"blob-code blob-code-inner js-file-line\">  resource_group_name      = azurerm_resource_group.aks.name<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L41\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"41\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC41\" class=\"blob-code blob-code-inner js-file-line\">  kubernetes_version       = var.kubernetes_version<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L42\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"42\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC42\" class=\"blob-code blob-code-inner js-file-line\">  node_count               = var.node_count<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L43\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"43\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC43\" class=\"blob-code blob-code-inner js-file-line\">  os_disk_size_gb          = &quot;1028&quot;<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L44\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"44\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC44\" class=\"blob-code blob-code-inner js-file-line\">  max_pods                 = &quot;110&quot;<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L45\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"45\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC45\" class=\"blob-code blob-code-inner js-file-line\">  vm_size                  = var.vm_size<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L46\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"46\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC46\" class=\"blob-code blob-code-inner js-file-line\">  vnet_subnet_id           = module.aks_network.aks_subnet_id<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L47\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"47\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC47\" class=\"blob-code blob-code-inner js-file-line\">  client_id                = module.aks_identities.cluster_client_id<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L48\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"48\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC48\" class=\"blob-code blob-code-inner js-file-line\">  client_secret            = module.aks_identities.cluster_sp_secret<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L49\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"49\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC49\" class=\"blob-code blob-code-inner js-file-line\">  diagnostics_workspace_id = module.log_analytics.azurerm_log_analytics_workspace<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L50\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"50\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC50\" class=\"blob-code blob-code-inner js-file-line\">  sp_id                    = data.azurerm_key_vault_secret.AKSSP_AppId.value<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L51\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"51\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC51\" class=\"blob-code blob-code-inner js-file-line\">  sp_secret                = data.azurerm_key_vault_secret.AKSSP_AppSecret.value<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L52\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"52\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC52\" class=\"blob-code blob-code-inner js-file-line\">  aad_tenant_id            = var.AzureTenantID<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L53\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"53\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC53\" class=\"blob-code blob-code-inner js-file-line\">  aad_server_app_secret    = data.azurerm_key_vault_secret.AKS_AADServer_AppSecret.value<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L54\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"54\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC54\" class=\"blob-code blob-code-inner js-file-line\">  aad_server_app_id        = data.azurerm_key_vault_secret.AKS_AADServer_AppID.value<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L55\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"55\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC55\" class=\"blob-code blob-code-inner js-file-line\">  aad_client_app_id        = data.azurerm_key_vault_secret.AKS_AADClient_AppId.value<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-aks-with-aad-main-deployment-tf-L56\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"56\"><\/td>\n          <td id=\"file-aks-with-aad-main-deployment-tf-LC56\" class=\"blob-code blob-code-inner js-file-line\">}<\/td>\n        <\/tr>\n  <\/table>\n<\/div>\n\n\n    <\/div>\n\n  <\/div>\n\n<\/div>\n\n      <\/div>\n      <div class=\"gist-meta\">\n        <a href=\"https:\/\/gist.github.com\/AymenSegni\/58868e1095b3720c78c2ca2ae8f8b798\/raw\/9184d9ac5015b4442f7f2d0f78fbb1e12ac3bcfd\/aks-with-aad-main-deployment.tf\" style=\"float:right\" class=\"Link--inTextBlock\">view raw<\/a>\n        <a href=\"https:\/\/gist.github.com\/AymenSegni\/58868e1095b3720c78c2ca2ae8f8b798#file-aks-with-aad-main-deployment-tf\" class=\"Link--inTextBlock\">\n          aks-with-aad-main-deployment.tf\n        <\/a>\n        hosted with &#10084; by <a class=\"Link--inTextBlock\" href=\"https:\/\/github.com\">GitHub<\/a>\n      <\/div>\n    <\/div>\n<\/div>\n\n<\/div><\/figure>\n\n\n\n<p>As you will notice, it is also necessary to update the variable .tf files in the aks-cluster module and the main Terraform deployment configuration.<\/p>\n\n\n\n<p>After making changes to your code, running the&nbsp;<code>plan<\/code>&nbsp;and&nbsp;<code>apply<\/code>&nbsp;commands again will let Terraform use its knowledge of the deployed resources&nbsp;<code>(.tfstate)<\/code>&nbsp;to calculate what changes need to be made, whether building or destroying.<\/p>\n\n\n\n<p>Finally, get the cluster admin credentials using the&nbsp;<code>az aks get-credentials<\/code>&nbsp;command. In one of the following steps, you get the regular&nbsp;<em>user<\/em>&nbsp;cluster credentials to see the Azure AD authentication flow in action.<\/p>\n\n\n\n<p class=\"has-text-color has-background has-very-light-gray-color has-very-dark-gray-background-color\">|&#8211;\u2af8&nbsp; az aks get-credentials &#8211;resource-group myResourceGroup &#8211;name $aksname &#8211;admin &nbsp;<\/p>\n\n\n\n<p class=\"has-text-color has-background has-very-dark-gray-color has-pale-cyan-blue-background-color\">\u2139\ufe0f <strong>Note<\/strong><br>The AKS cluster deployment with the AAD integration can be done through Azure CLI as shown below:<\/p>\n\n\n\n<p class=\"has-text-color has-background has-very-light-gray-color has-very-dark-gray-background-color\">|&#8211;\u2af8&nbsp;tenantId=$(az account show &#8211;query tenantId -o tsv) <br>|&#8211;\u2af8&nbsp;az aks create &#8211;resource-group myResourceGroup    &#8211;name $aksname     &#8211;node-count 1    &#8211;generate-ssh-keys    &#8211;aad-server-app-id $serverApplicationId     &#8211;aad-server-app-secret $serverApplicationSecret     &#8211;aad-client-app-id $clientApplicationId    &#8211;aad-tenant-id $tenantId<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2- Create RBAC <\/h3>\n\n\n\n<p>The next step is to associate the AAD identities on the Kubernetes cluster, using the Kubernetes Roles, ClusterRoles, clusterRoleBinding or RoleBinding objects. In our case, we are using existing roles:<\/p>\n\n\n\n<ul class=\"ul-black wp-block-list\"><li>The <strong>cluster-role<\/strong> <strong>cluster-admin<\/strong>, which as its name suggests gives extended rights to the whole cluster,<\/li><li> The<strong> cluster-role admin<\/strong> which gives extended rights but which associates with a namespace.<\/li><\/ul>\n\n\n\n<p>&nbsp;<em>Roles<\/em>&nbsp;define the permissions to grant, and&nbsp;<em>bindings<\/em>&nbsp;apply them to the desired users. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see&nbsp;<a rel=\"noreferrer noopener\" aria-label=\"Using RBAC authorization (opens in a new tab)\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/aks\/concepts-identity#role-based-access-controls-rbac\" target=\"_blank\">Using RBAC authorization<\/a>.<\/p>\n\n\n\n<p>1- Get the user principal name (UPN) for the user currently logged in using the&nbsp;<code>az ad signed-in-user show<\/code>&nbsp;command. This user account is enabled for Azure AD integration in the next step.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"85\" src=\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-28-at-22.31.02-1024x85.png\" alt=\"Secure AKS in the deployment UPN\" class=\"wp-image-311\" srcset=\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-28-at-22.31.02.png 1024w, https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-28-at-22.31.02.png 300w, https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-28-at-22.31.02.png 768w, https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-28-at-22.31.02.png 1198w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n\n\n\n<p>2- Create a YAML manifest named&nbsp;<code>basic-azure-ad-binding.yaml<\/code>&nbsp;and paste the following contents. On the last line, replace&nbsp;<em><code>userPrincipalName_or_objectId<\/code><\/em>&nbsp;with the UPN or object ID output from the previous command:<\/p>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\n<style>.gist table { margin-bottom: 0; }<\/style><div style=\"tab-size: 8\" id=\"gist100279729\" class=\"gist\">\n    <div class=\"gist-file\" translate=\"no\" data-color-mode=\"light\" data-light-theme=\"light\">\n      <div class=\"gist-data\">\n        \n<div class=\"js-gist-file-update-container js-task-list-container\">\n      <div id=\"file-basic-azure-ad-binding-yaml\" class=\"file my-2\">\n    \n    <div itemprop=\"text\"\n      class=\"Box-body p-0 blob-wrapper data type-yaml  \"\n      style=\"overflow: auto\" tabindex=\"0\" role=\"region\"\n      aria-label=\"basic-azure-ad-binding.yaml content, created by AymenSegni on 09:42PM on December 28, 2019.\"\n    >\n\n        \n<div class=\"js-check-hidden-unicode js-blob-code-container blob-code-content\">\n\n  <template class=\"js-file-alert-template\">\n  <div data-view-component=\"true\" class=\"flash flash-warn flash-full d-flex flex-items-center\">\n  <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\">\n    <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"><\/path>\n<\/svg>\n    <span>\n      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.\n      <a class=\"Link--inTextBlock\" href=\"https:\/\/github.co\/hiddenchars\" target=\"_blank\">Learn more about bidirectional Unicode characters<\/a>\n    <\/span>\n\n\n  <div data-view-component=\"true\" class=\"flash-action\">        <a href=\"{{ revealButtonHref }}\" data-view-component=\"true\" class=\"btn-sm btn\">    Show hidden characters\n<\/a>\n<\/div>\n<\/div><\/template>\n<template class=\"js-line-alert-template\">\n  <span aria-label=\"This line has hidden Unicode characters\" data-view-component=\"true\" class=\"line-alert tooltipped tooltipped-e\">\n    <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\">\n    <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"><\/path>\n<\/svg>\n<\/span><\/template>\n\n  <table data-hpc class=\"highlight tab-size js-file-line-container\" data-tab-size=\"4\" data-paste-markdown-skip data-tagsearch-path=\"basic-azure-ad-binding.yaml\">\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L1\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"1\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC1\" class=\"blob-code blob-code-inner js-file-line\">apiVersion: rbac.authorization.k8s.io\/v1<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L2\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"2\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC2\" class=\"blob-code blob-code-inner js-file-line\">kind: ClusterRoleBinding<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L3\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"3\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC3\" class=\"blob-code blob-code-inner js-file-line\">metadata:<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L4\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"4\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC4\" class=\"blob-code blob-code-inner js-file-line\">  name: contoso-cluster-admins<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L5\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"5\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC5\" class=\"blob-code blob-code-inner js-file-line\">roleRef:<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L6\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"6\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC6\" class=\"blob-code blob-code-inner js-file-line\">  apiGroup: rbac.authorization.k8s.io<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L7\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"7\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC7\" class=\"blob-code blob-code-inner js-file-line\">  kind: ClusterRole<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L8\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"8\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC8\" class=\"blob-code blob-code-inner js-file-line\">  name: cluster-admin<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L9\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"9\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC9\" class=\"blob-code blob-code-inner js-file-line\">subjects:<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L10\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"10\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC10\" class=\"blob-code blob-code-inner js-file-line\">&#8211; apiGroup: rbac.authorization.k8s.io<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L11\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"11\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC11\" class=\"blob-code blob-code-inner js-file-line\">  kind: User<\/td>\n        <\/tr>\n        <tr>\n          <td id=\"file-basic-azure-ad-binding-yaml-L12\" class=\"blob-num js-line-number js-blob-rnum\" data-line-number=\"12\"><\/td>\n          <td id=\"file-basic-azure-ad-binding-yaml-LC12\" class=\"blob-code blob-code-inner js-file-line\">  name: userPrincipalName_or_objectId<\/td>\n        <\/tr>\n  <\/table>\n<\/div>\n\n\n    <\/div>\n\n  <\/div>\n\n<\/div>\n\n      <\/div>\n      <div class=\"gist-meta\">\n        <a href=\"https:\/\/gist.github.com\/AymenSegni\/5a57b1352f96de2046a5c1fb5121f45e\/raw\/c4c8c0b304ecf522af7163bca640e74f0e377a11\/basic-azure-ad-binding.yaml\" style=\"float:right\" class=\"Link--inTextBlock\">view raw<\/a>\n        <a href=\"https:\/\/gist.github.com\/AymenSegni\/5a57b1352f96de2046a5c1fb5121f45e#file-basic-azure-ad-binding-yaml\" class=\"Link--inTextBlock\">\n          basic-azure-ad-binding.yaml\n        <\/a>\n        hosted with &#10084; by <a class=\"Link--inTextBlock\" href=\"https:\/\/github.com\">GitHub<\/a>\n      <\/div>\n    <\/div>\n<\/div>\n\n<\/div><\/figure>\n\n\n\n<p>3- Create the ClusterRoleBinding using the&nbsp;<a rel=\"noreferrer noopener\" aria-label=\"kubectl apply (opens in a new tab)\" href=\"https:\/\/kubernetes.io\/docs\/reference\/generated\/kubectl\/kubectl-commands#apply\" target=\"_blank\"><span style=\"text-decoration: underline;\">kubectl apply<\/span><\/a>&nbsp;command and specify the filename of your YAML manifest:<\/p>\n\n\n\n<p class=\"has-text-color has-background has-very-light-gray-color has-very-dark-gray-background-color\">|&#8211;\u2af8&nbsp; kubectl apply -f basic-azure-ad-binding.yaml &nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3- Authentication test<\/h3>\n\n\n\n<p>Now let&#8217;s test the integration of Azure AD authentication for the AKS cluster. The first step is to retrieve the identifiers. To do this, we use the <code>az aks get-credentials<\/code> command, after performing authentication on az cli. This implies, as it stands, that the person has access to the subscription in which the AKS cluster is located. However, once the config file is recovered, only the kubectl client is required.<\/p>\n\n\n\n<p>After executing this first command, first with an account linked to the cluster-role cluster-admin, we then execute the command <code>kubectl get pods<\/code>, which requires rights at the cluster level, which is the case with the account present:<\/p>\n\n\n\n<p class=\"has-text-color has-background has-very-light-gray-color has-very-dark-gray-background-color\">|&#8211;\u2af8&nbsp;az aks get-credentials &#8211;resource-group myResourceGroup &#8211;name $aksname &#8211;overwrite-existing<\/p>\n\n\n\n<p class=\"has-text-color has-background has-very-light-gray-color has-very-dark-gray-background-color\">|&#8211;\u2af8&nbsp;kubectl get pods &#8211;all-namespaces<\/p>\n\n\n\n<p>You receive a sign in prompt to authenticate using Azure AD credentials using a web browser. After you&#8217;ve successfully authenticated, the&nbsp;<code>kubectl<\/code>&nbsp;command displays the pods in the AKS cluster, as shown in the following example output:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"294\" src=\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-28-at-22.57.49-1024x294.png\" alt=\"Secure Azure AKS Kubernetes cluster rbac authentication\" class=\"wp-image-315\" srcset=\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-28-at-22.57.49.png 1024w, https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-28-at-22.57.49.png 300w, https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-28-at-22.57.49.png 768w, https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-28-at-22.57.49.png 1352w, https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-28-at-22.57.49.png 1280w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Conclusion <\/h3>\n\n\n\n<p>In this part, we deployed an AKS cluster integrated with AAD to implement an RBAC, and then we successfully tested authentication with AAD users, not necessarily having direct rights to the resource in Azure. In a next part, we will implement Network Policies in order to secure the Azure AKS Kubernetes cluster at the deployment level.<\/p>\n\n\n\n<h2 class=\"has-vivid-cyan-blue-color has-text-color wp-block-heading\">Next steps<\/h2>\n\n\n\n<p>In a next chapter, we will implement security at the AKS cluster level using Network Policies.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Secure Azure AKS Kubernetes cluster at the deployment level using: \u2705Azure AD, \u2705RBAC, \u2705Azure CNI, \u2705 Azure network policy, \u2705Azure Key Vault \u2705 Terraform<\/p>\n","protected":false},"author":1,"featured_media":461,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9,13,8,10,12],"tags":[14,11,19,6,2,15,16],"class_list":["post-438","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-deployment","category-devops","category-kubernetes","category-security","tag-aks","tag-azure","tag-deployment","tag-devops","tag-kubernetes","tag-security","tag-terraform"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Secure AKS at the deployment - part 2 - Run It On Cloud<\/title>\n<meta name=\"description\" content=\"Secure Azure AKS Kubernetes cluster at the deployment level using: \u2705Azure AD, \u2705RBAC, \u2705Azure CNI, \u2705 Azure network policy, \u2705Azure Key Vault \u2705 Terraform\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secure AKS at the deployment - part 2 - Run It On Cloud\" \/>\n<meta property=\"og:description\" content=\"Secure Azure AKS Kubernetes cluster at the deployment level using: \u2705Azure AD, \u2705RBAC, \u2705Azure CNI, \u2705 Azure network policy, \u2705Azure Key Vault \u2705 Terraform\" \/>\n<meta property=\"og:url\" content=\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Run It On Cloud\" \/>\n<meta property=\"article:published_time\" content=\"2020-01-03T03:22:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-01-03T03:36:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/Kubernetes-Security-600x400_1554495004.png?fit=600%2C400&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"600\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"aymen-segni\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/x.com\/axsegni\" \/>\n<meta name=\"twitter:site\" content=\"@axsegni\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"aymen-segni\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/\"},\"author\":{\"name\":\"aymen-segni\",\"@id\":\"https:\/\/aymen-segni.com\/#\/schema\/person\/32033966e7bd410bbaf1b79c7e94b59d\"},\"headline\":\"Secure AKS at the deployment &#8211; part 2 &#8211;\",\"datePublished\":\"2020-01-03T03:22:43+00:00\",\"dateModified\":\"2020-01-03T03:36:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/\"},\"wordCount\":1229,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/aymen-segni.com\/#\/schema\/person\/32033966e7bd410bbaf1b79c7e94b59d\"},\"keywords\":[\"aks\",\"Azure\",\"deployment\",\"devops\",\"kubernetes\",\"security\",\"terraform\"],\"articleSection\":[\"Cloud\",\"Deployment\",\"Devops\",\"Kubernetes\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/\",\"url\":\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/\",\"name\":\"Secure AKS at the deployment - part 2 - Run It On Cloud\",\"isPartOf\":{\"@id\":\"https:\/\/aymen-segni.com\/#website\"},\"datePublished\":\"2020-01-03T03:22:43+00:00\",\"dateModified\":\"2020-01-03T03:36:11+00:00\",\"description\":\"Secure Azure AKS Kubernetes cluster at the deployment level using: \u2705Azure AD, \u2705RBAC, \u2705Azure CNI, \u2705 Azure network policy, \u2705Azure Key Vault \u2705 Terraform\",\"breadcrumb\":{\"@id\":\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/aymen-segni.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Secure AKS at the deployment &#8211; part 2 &#8211;\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/aymen-segni.com\/#website\",\"url\":\"https:\/\/aymen-segni.com\/\",\"name\":\"Run It On Cloud\",\"description\":\"Accelerate your Cloud &amp; MLOps Journey\",\"publisher\":{\"@id\":\"https:\/\/aymen-segni.com\/#\/schema\/person\/32033966e7bd410bbaf1b79c7e94b59d\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/aymen-segni.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/aymen-segni.com\/#\/schema\/person\/32033966e7bd410bbaf1b79c7e94b59d\",\"name\":\"aymen-segni\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/aymen-segni.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2025\/02\/72799.jpg\",\"contentUrl\":\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2025\/02\/72799.jpg\",\"width\":896,\"height\":1152,\"caption\":\"aymen-segni\"},\"logo\":{\"@id\":\"https:\/\/aymen-segni.com\/#\/schema\/person\/image\/\"},\"description\":\"Staff Engineer with over a decade of experience in building, scaling, and leading MLOPS, Cloud Native, SRE, and DevOps platforms across high-growth and enterprise environments. I specialize in architecting production-grade systems with a strong emphasis on resilience, security, and developer experience; bringing together deep expertise in distributed systems, Kubernetes, and modern platform engineering to empower engineering teams and accelerate business value. My work spans Cloud (AWS, GCP, Azure, OpenStack), Kubernetes, SRE (SLOs, observability, incident response), AI infrastructure and AgentOps (vLLM, Nvidia, RayServe, etc), and Platform Engineering (Backstage, Keptn, GitOps, self-service). I\u2019ve led teams through Cloud Native transformations, established scalable SRE practices, and built internal platforms that streamline operations and reduce cognitive load. With a strong programming background, and Infrastructure as Code (Terraform, Helm, Ansible), I drive automation-first approaches to eliminate toil, ensure reliability, and enable secure, compliant deployment pipelines. My focus today is on building Cloud Native AI platforms, where DevOps meets AI Infrastructure Stacks to support scalable, production-ready LLMs and AI Platforms. As a dedicated mentor, both within my teams and through platforms like MentorCruise, I am passionate about helping engineers perform at their best and assisting organizations in scaling with confidence. Driven by systems thinking, platform-as-a-product mindset, and engineering excellence, I help teams ship faster, operate smarter, and scale with confidence.\",\"sameAs\":[\"https:\/\/aymen-segni.com\",\"https:\/\/www.linkedin.com\/in\/aymen-segni\",\"https:\/\/twitter.com\/https:\/\/x.com\/axsegni\"],\"url\":\"https:\/\/aymen-segni.com\/index.php\/author\/admin8647\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Secure AKS at the deployment - part 2 - Run It On Cloud","description":"Secure Azure AKS Kubernetes cluster at the deployment level using: \u2705Azure AD, \u2705RBAC, \u2705Azure CNI, \u2705 Azure network policy, \u2705Azure Key Vault \u2705 Terraform","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/","og_locale":"en_US","og_type":"article","og_title":"Secure AKS at the deployment - part 2 - Run It On Cloud","og_description":"Secure Azure AKS Kubernetes cluster at the deployment level using: \u2705Azure AD, \u2705RBAC, \u2705Azure CNI, \u2705 Azure network policy, \u2705Azure Key Vault \u2705 Terraform","og_url":"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/","og_site_name":"Run It On Cloud","article_published_time":"2020-01-03T03:22:43+00:00","article_modified_time":"2020-01-03T03:36:11+00:00","og_image":[{"width":600,"height":400,"url":"https:\/\/i0.wp.com\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/Kubernetes-Security-600x400_1554495004.png?fit=600%2C400&ssl=1","type":"image\/png"}],"author":"aymen-segni","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/x.com\/axsegni","twitter_site":"@axsegni","twitter_misc":{"Written by":"aymen-segni","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/#article","isPartOf":{"@id":"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/"},"author":{"name":"aymen-segni","@id":"https:\/\/aymen-segni.com\/#\/schema\/person\/32033966e7bd410bbaf1b79c7e94b59d"},"headline":"Secure AKS at the deployment &#8211; part 2 &#8211;","datePublished":"2020-01-03T03:22:43+00:00","dateModified":"2020-01-03T03:36:11+00:00","mainEntityOfPage":{"@id":"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/"},"wordCount":1229,"commentCount":2,"publisher":{"@id":"https:\/\/aymen-segni.com\/#\/schema\/person\/32033966e7bd410bbaf1b79c7e94b59d"},"keywords":["aks","Azure","deployment","devops","kubernetes","security","terraform"],"articleSection":["Cloud","Deployment","Devops","Kubernetes","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/","url":"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/","name":"Secure AKS at the deployment - part 2 - Run It On Cloud","isPartOf":{"@id":"https:\/\/aymen-segni.com\/#website"},"datePublished":"2020-01-03T03:22:43+00:00","dateModified":"2020-01-03T03:36:11+00:00","description":"Secure Azure AKS Kubernetes cluster at the deployment level using: \u2705Azure AD, \u2705RBAC, \u2705Azure CNI, \u2705 Azure network policy, \u2705Azure Key Vault \u2705 Terraform","breadcrumb":{"@id":"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/aymen-segni.com\/index.php\/2020\/01\/03\/secure-aks-at-the-deployment-part-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/aymen-segni.com\/"},{"@type":"ListItem","position":2,"name":"Secure AKS at the deployment &#8211; part 2 &#8211;"}]},{"@type":"WebSite","@id":"https:\/\/aymen-segni.com\/#website","url":"https:\/\/aymen-segni.com\/","name":"Run It On Cloud","description":"Accelerate your Cloud &amp; MLOps Journey","publisher":{"@id":"https:\/\/aymen-segni.com\/#\/schema\/person\/32033966e7bd410bbaf1b79c7e94b59d"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/aymen-segni.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/aymen-segni.com\/#\/schema\/person\/32033966e7bd410bbaf1b79c7e94b59d","name":"aymen-segni","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/aymen-segni.com\/#\/schema\/person\/image\/","url":"https:\/\/aymen-segni.com\/wp-content\/uploads\/2025\/02\/72799.jpg","contentUrl":"https:\/\/aymen-segni.com\/wp-content\/uploads\/2025\/02\/72799.jpg","width":896,"height":1152,"caption":"aymen-segni"},"logo":{"@id":"https:\/\/aymen-segni.com\/#\/schema\/person\/image\/"},"description":"Staff Engineer with over a decade of experience in building, scaling, and leading MLOPS, Cloud Native, SRE, and DevOps platforms across high-growth and enterprise environments. I specialize in architecting production-grade systems with a strong emphasis on resilience, security, and developer experience; bringing together deep expertise in distributed systems, Kubernetes, and modern platform engineering to empower engineering teams and accelerate business value. My work spans Cloud (AWS, GCP, Azure, OpenStack), Kubernetes, SRE (SLOs, observability, incident response), AI infrastructure and AgentOps (vLLM, Nvidia, RayServe, etc), and Platform Engineering (Backstage, Keptn, GitOps, self-service). I\u2019ve led teams through Cloud Native transformations, established scalable SRE practices, and built internal platforms that streamline operations and reduce cognitive load. With a strong programming background, and Infrastructure as Code (Terraform, Helm, Ansible), I drive automation-first approaches to eliminate toil, ensure reliability, and enable secure, compliant deployment pipelines. My focus today is on building Cloud Native AI platforms, where DevOps meets AI Infrastructure Stacks to support scalable, production-ready LLMs and AI Platforms. As a dedicated mentor, both within my teams and through platforms like MentorCruise, I am passionate about helping engineers perform at their best and assisting organizations in scaling with confidence. Driven by systems thinking, platform-as-a-product mindset, and engineering excellence, I help teams ship faster, operate smarter, and scale with confidence.","sameAs":["https:\/\/aymen-segni.com","https:\/\/www.linkedin.com\/in\/aymen-segni","https:\/\/twitter.com\/https:\/\/x.com\/axsegni"],"url":"https:\/\/aymen-segni.com\/index.php\/author\/admin8647\/"}]}},"jetpack_featured_media_url":"https:\/\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/Kubernetes-Security-600x400_1554495004.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/aymen-segni.com\/index.php\/wp-json\/wp\/v2\/posts\/438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aymen-segni.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aymen-segni.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aymen-segni.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aymen-segni.com\/index.php\/wp-json\/wp\/v2\/comments?post=438"}],"version-history":[{"count":20,"href":"https:\/\/aymen-segni.com\/index.php\/wp-json\/wp\/v2\/posts\/438\/revisions"}],"predecessor-version":[{"id":532,"href":"https:\/\/aymen-segni.com\/index.php\/wp-json\/wp\/v2\/posts\/438\/revisions\/532"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aymen-segni.com\/index.php\/wp-json\/wp\/v2\/media\/461"}],"wp:attachment":[{"href":"https:\/\/aymen-segni.com\/index.php\/wp-json\/wp\/v2\/media?parent=438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aymen-segni.com\/index.php\/wp-json\/wp\/v2\/categories?post=438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aymen-segni.com\/index.php\/wp-json\/wp\/v2\/tags?post=438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}