=  k8s Azure RBAC integrated with AAD =

 * https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac
 
 * https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac?tabs=portal

== Give user access ==
 * Find domain, Azure Active Directory, Overview -> Primary domain {{{
export aad_domain="mydomain.onmicrosoft.com"
# User
UPN="<UserName>@${aad_domain}"
# k8s details
k8s_rg=""
k8s_cluster=""
k8s_id=$(az aks show --resource-group ${k8s_rg} --name ${k8s_cluster} --query id -o tsv)

}}}

 * create k8s role and binding {{{
# Login as admin
az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --admin
# Possible error: Message: Getting static credential is not allowed because this cluster is set to disable local accounts.
#                 try $ az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --public-fqdn
kubectl create namespace dev
}}}
 * role-dev-namespace.yaml {{{
echo '---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-user-full-access
  namespace: dev
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]
---
' | kubectl apply -f -
}}}

 * get objectId {{{
k8s_kind="Group"
az_grp_name="dev"
az_obj_id=$( az ad group show --group ${az_grp_name} --query id -o tsv )
az role assignment create \
  --assignee ${az_obj_id} \
  --role "Azure Kubernetes Service Cluster User Role" \
  --scope $AKS_ID

## or
k8s_kind="User"
az_obj_id="<UserName>@${aad_domain}"
}}}

 * rolebinding-dev-namespace.yaml {{{
echo "---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-user-access
  namespace: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-user-full-access
subjects:
- kind: ${k8s_kind}
  namespace: dev
  name: ${az_obj_id}
---
" | kubectl apply -f -
}}}

 * login with new credentials {{{

az aks get-credentials --resource-group ${k8s_rg} --name ${k8s_cluster} --public-fqdn

}}}