Azure DevOp Pipelines authentication to AKS with Azure AD RBAC configured?

Question

We have configured our Azure Kubernetes Clusters to use Azure Active Directory RBAC. This means when using kubectl we need to first authenticate as an AD user (usually done through manually completing device code authentication via the web browser). We have configured this almost exactly as per the MSDN article Integrate Azure Active Directory with Azure Kubernetes Service.

The issue is that this authentication is now also required for Kubernetes build/release tasks in Azure DevOp Pipelines, for example when we run kubectl apply:

2019-01-02T08:48:21.2070286Z ##[section]Starting: kubectl apply
2019-01-02T08:48:21.2074936Z ==============================================================================
2019-01-02T08:48:21.2075160Z Task         : Deploy to Kubernetes
2019-01-02T08:48:21.2075398Z Description  : Deploy, configure, update your Kubernetes cluster in Azure Container Service by running kubectl commands.
2019-01-02T08:48:21.2075625Z Version      : 1.1.17
2019-01-02T08:48:21.2075792Z Author       : Microsoft Corporation
2019-01-02T08:48:21.2076009Z Help         : [More Information](https://go.microsoft.com/fwlink/?linkid=851275)
2019-01-02T08:48:21.2076245Z ==============================================================================
2019-01-02T08:48:25.7971481Z Found tool in cache: kubectl 1.7.0 x64
2019-01-02T08:48:25.7980222Z Prepending PATH environment variable with directory: C:\agents\HephaestusForge\_work\_tool\kubectl\1.7.0\x64
2019-01-02T08:48:25.8666111Z [command]C:\agents\HephaestusForge\_work\_tool\kubectl\1.7.0\x64\kubectl.exe apply -f C:\agents\HephaestusForge\_work\r8\a\_MyProject\kubernetes\deploy.yaml -o json
2019-01-02T08:48:26.3518703Z To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CUYYYYYVV to authenticate.

What is a workaround for this? Is it possible to have Azure DevOps authenticate itself as a server client instead of an AD client?

I think the token is cached and can be used until it expired. Are there any other errors when you log in or execute the command? — Charles Xu, Jan 03 '19 at 01:50
@CharlesXu if I manually authenticate with the code, then it works just fine. There isn't a token that I can use. — Dave New, Jan 03 '19 at 05:18
As I test, you just need to sign in when you get the credential each time. And then the credential is stored in the file ~/.kube/config. Maybe you can get the credential from the file in the code. You can also set the credential as a variable when you get it in the code. — Charles Xu, Jan 03 '19 at 09:43
you can use https://github.com/Azure/kubelogin plugin for non-interactive login — Vilva, Sep 24 '20 at 15:37

score 8 · Answer 1 · answered Feb 03 '21 at 08:00

You can use kubelogin for your pipeline from https://github.com/Azure/kubelogin

Here's the full example by starting at the login step, Until getting the namespace resource inside Kubernetes.

az login --service-principal -u $APP_ID -p $PASSWORD -t $TENANT

This statement more important, If you don't have existing cluster context in your ~/.kube/config file

az aks get-credentials --resource-group $RG_AKS --name $CLUSTER_NAME --overwrite-existing --file .kubeconfig-${CLUSTER_NAME}
Merged "my-aks-cluster-name" as current context in .kubeconfig-my-aks-cluster-name

Use kubelogin instead of az aks get-credential ....

export KUBECONFIG=$(pwd)/.kubeconfig-${CLUSTER_NAME}
kubelogin convert-kubeconfig -l spn
export AAD_SERVICE_PRINCIPAL_CLIENT_ID=$APP_ID
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=$PASSWORD

Now you can run kubectl without device authentication

kubectl get pods -n $NAMESPACE
NAME                       READY   STATUS    RESTARTS   AGE
myapp-be-7c8cf7d8b9-gnj2t   1/1     Running   0          103m
myapp-cms-65fd6df9c-z7752   1/1     Running   0          14m
myapp-fe-5dbcdd8d9c-fzxgh   1/1     Running   0          52m

ISn't this as insecure as using the --admin flag with az aks get-credential? — fermin.saez, May 11 '21 at 21:00
If you create a service principal with limited permissions, e.g. only a namespace, then its blast radius is smaller (than admin) and thus more secure. — julie-ng, Sep 17 '21 at 13:33
This works indeed, but how can I ensure `kubectl@1` tasks also authenticate like this? I can only use az cli tasks now to deploy k8s resources... — Casper Dijkstra, Dec 28 '21 at 16:19

score 4 · Accepted Answer · answered Jan 09 '19 at 17:05

4

You can use the admin profile which doesn't require interactive login but unfortunately bypasses any RBAC controls you may have setup.

Vote here: https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks/suggestions/35146387-support-non-interactive-login-for-aad-integrated-c

answered Jan 09 '19 at 17:05

user10891134

56
1

The link is dead. – Monsignor Nov 12 '21 at 05:59

Azure DevOp Pipelines authentication to AKS with Azure AD RBAC configured?

2 Answers2

Linked