Menu
We have configured our Azure Kubernetes Clusters to use Azure Active Directory RBAC. This means when using kubectl we need to first authenticate as an AD user (usually done through manually completing device code authentication via the web browser). We have configured this almost exactly as per the MSDN article Integrate Azure Active Directory with Azure Kubernetes Service.
The issue is that this authentication is now also required for Kubernetes build/release tasks in Azure DevOp Pipelines, for example when we run kubectl apply:
2019-01-02T08:48:21.2070286Z ##[section]Starting: kubectl apply
2019-01-02T08:48:21.2074936Z ==============================================================================
2019-01-02T08:48:21.2075160Z Task : Deploy to Kubernetes
2019-01-02T08:48:21.2075398Z Description : Deploy, configure, update your Kubernetes cluster in Azure Container Service by running kubectl commands.
2019-01-02T08:48:21.2075625Z Version : 1.1.17
2019-01-02T08:48:21.2075792Z Author : Microsoft Corporation
2019-01-02T08:48:21.2076009Z Help : [More Information](https://go.microsoft.com/fwlink/?linkid=851275)
2019-01-02T08:48:21.2076245Z ==============================================================================
2019-01-02T08:48:25.7971481Z Found tool in cache: kubectl 1.7.0 x64
2019-01-02T08:48:25.7980222Z Prepending PATH environment variable with directory: C:\agents\HephaestusForge\_work\_tool\kubectl\1.7.0\x64
2019-01-02T08:48:25.8666111Z [command]C:\agents\HephaestusForge\_work\_tool\kubectl\1.7.0\x64\kubectl.exe apply -f C:\agents\HephaestusForge\_work\r8\a\_MyProject\kubernetes\deploy.yaml -o json
2019-01-02T08:48:26.3518703Z To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CUYYYYYVV to authenticate.
What is a workaround for this? Is it possible to have Azure DevOps authenticate itself as a server client instead of an AD client?
846
To integrate with AKS, you create and use an Azure AD application that acts as an endpoint for the identity requests. The first Azure AD application you need gets Azure AD group membership for a user. The Azure AD service principal needs permissions to perform the following actions: Read directory data.
To add Azure RBAC for Kubernetes Authorization into an existing AKS cluster, use the az aks update command with the flag enable-azure-rbac . To remove Azure RBAC for Kubernetes Authorization from an existing AKS cluster, use the az aks update command with the flag disable-azure-rbac .
Azure AD provides secure authentication and authorization solutions so that customers, partners, and employees can access the applications they need. With Azure AD, conditional access, multi-factor authentication, single-sign on, and automatic user provisioning make identity and access management easy and secure.
You can use kubelogin for your pipeline from https://github.com/Azure/kubelogin
Here's the full example by starting at the login step, Until getting the namespace resource inside Kubernetes.
az login --service-principal -u $APP_ID -p $PASSWORD -t $TENANT
This statement more important, If you don't have existing cluster context in your ~/.kube/config file
az aks get-credentials --resource-group $RG_AKS --name $CLUSTER_NAME --overwrite-existing --file .kubeconfig-${CLUSTER_NAME}
Merged "my-aks-cluster-name" as current context in .kubeconfig-my-aks-cluster-name
Use kubelogin instead of az aks get-credential ....
export KUBECONFIG=$(pwd)/.kubeconfig-${CLUSTER_NAME}
kubelogin convert-kubeconfig -l spn
export AAD_SERVICE_PRINCIPAL_CLIENT_ID=$APP_ID
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=$PASSWORD
Now you can run kubectl without device authentication
kubectl get pods -n $NAMESPACE
NAME READY STATUS RESTARTS AGE
myapp-be-7c8cf7d8b9-gnj2t 1/1 Running 0 103m
myapp-cms-65fd6df9c-z7752 1/1 Running 0 14m
myapp-fe-5dbcdd8d9c-fzxgh 1/1 Running 0 52m
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
