You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
Azure Authorizer
Guard installation guide can be found here. To use Azure, create a client cert with Organization
set to Azure
.For Azure CommonName
is optional. To ease this process, use the Guard cli to issue a client cert/key pair.
$ guard init client [CommonName] -o Azure
Azure authenticator guide can be found here.
ARC mode
Guard can be configured with arc mode which uses service principal (azure.client-id configured for authentication) with read access on subscription of kubernetes cluster.
Deploy guard server
To generate installer YAMLs for guard server you can use the following command.
# generate Kubernetes YAMLs for deploying guard server
$ guard get installer \
-- all authentication options as per Azure authenticatoin guide
--authz-providers=azure \
--azure.authz-mode=arc \
--azure.resource-id=<arc k8s cluster arm resource id> \
--azure.skip-authz-check=<comma separated list of user email ids for which Azure RBAC will be skipped>
--azure.skip-authz-for-non-aad-users=true \
--azure.allow-nonres-discovery-path-access=true \
> installer.yaml
$ kubectl apply -f installer.yaml
Note Azure authorization can be enabled only with Azure authentication. Create single installer.yaml with both authentication and authorization options together. ARC mode can be enabled with client credential mode or On-Behalf-Of (OBO) mode. Keep azure.skip-authz-for-non-aad-users=true for certificate users (non AAD users) to work with Azure authorization. You are required to set separate Kubernetes RBAC authorizer for certificate users.