Using AKS kubectl (kubelogin) on headless systems or pipelines
Running kubectl on pipelines with interactive authentication is somewhat non-optimal :-) Let's make it better without using long-living tokens.
A challenge we had recently is to use kubectl with kubelogin on non-interactive systems like pipelines (where also device-login is no option). The background is that local users on Azure Kubernetes Clusters should be disabled (which is a great thing).
Why is this an issue?
Typically, when you use kubelogin (mostly through kubectl), you are authenticating interactively or through device-login (on the first time). Having done this once kubelogin stores the refreshToken (and accessToken) in a file in the .kube directory tree.
If you are running on an automated system like a pipeline, you don't want the process to be interrupted and use technical users (realized through service-principals) to achieve the goal.
How to avoid the prompts?
The solution is fairly easy - kubelogin can be controlled throug ENV vars and use other login methods. The one we are searching for is spn.
AAD_SERVICE_PRINCIPAL_CLIENT_ID=<SP_ID>
AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<SP_TOKEN>
AAD_LOGIN_METHOD=spn
AZURE_TENANT_ID=<TENANT_ID>Configure these settings and kubelogin will authenticate without any interruption or similar. Easy win.
