You've successfully subscribed to Nuvotex Blog
Great! Next, complete checkout for full access to Nuvotex Blog
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Using AKS kubectl (kubelogin) on headless systems or pipelines

Running kubectl on pipelines with interactive authentication is somewhat non-optimal :-) Let's make it better without using long-living tokens.

Daniel Nachtrub
Daniel Nachtrub

A challenge we had recently is to use kubectl with kubelogin on non-interactive systems like pipelines (where also device-login is no option). The background is that local users on Azure Kubernetes Clusters should be disabled (which is a great thing).

Why is this an issue?

Typically, when you use kubelogin (mostly through kubectl), you are authenticating interactively or through device-login (on the first time). Having done this once kubelogin stores the refreshToken (and accessToken) in a file in the .kube directory tree.

If you are running on an automated system like a pipeline, you don't want the process to be interrupted and use technical users (realized through service-principals) to achieve the goal.

How to avoid the prompts?

The solution is fairly easy - kubelogin can be controlled throug ENV vars and use other login methods. The one we are searching for is spn.

AAD_SERVICE_PRINCIPAL_CLIENT_ID=<SP_ID>
AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<SP_TOKEN>
AAD_LOGIN_METHOD=spn
AZURE_TENANT_ID=<TENANT_ID>
ENV vars for kubelogin

Configure these settings and kubelogin will authenticate without any interruption or similar. Easy win.

AzureKubernetesLinuxCloud

Daniel Nachtrub

Kind of likes computers. Linux foundation certified: LFCS / CKA / CKAD / CKS. Microsoft certified: Cybersecurity Architect Expert & Azure Solutions Architect Expert.