Using AKS kubectl (kubelogin) on headless systems or pipelines
Running kubectl on pipelines with interactive authentication is somewhat non-optimal :-) Let's make it better without using long-living tokens.
A challenge we had recently is to use kubectl with kubelogin on non-interactive systems like pipelines (where also device-login is no option). The background is that local users on Azure Kubernetes Clusters should be disabled (which is a great thing).
Why is this an issue?
Typically, when you use kubelogin (mostly through kubectl), you are authenticating interactively or through device-login (on the first time). Having done this once kubelogin stores the refreshToken (and accessToken) in a file in the .kube directory tree.
If you are running on an automated system like a pipeline, you don't want the process to be interrupted and use technical users (realized through service-principals) to achieve the goal.
How to avoid the prompts?
The solution is fairly easy - kubelogin can be controlled throug ENV vars and use other login methods. The one we are searching for is spn.
Configure these settings and kubelogin will authenticate without any interruption or similar. Easy win.