配置了 Azure AD RBAC 的 Azure DevOp Pipelines 身份验证到 AKS？

Question

We have configured our Azure Kubernetes Clusters to use Azure Active Directory RBAC. This means when using kubectl we need to first authenticate as an AD user (usually done through manually completing device code authentication via the web browser). We have configured this almost exactly as per the MSDN article Integrate Azure Active Directory with Azure Kubernetes Service .

The issue is that this authentication is now also required for Kubernetes build/release tasks in Azure DevOp Pipelines, for example when we run kubectl apply:

2019-01-02T08:48:21.2070286Z ##[section]Starting: kubectl apply
2019-01-02T08:48:21.2074936Z ==============================================================================
2019-01-02T08:48:21.2075160Z Task         : Deploy to Kubernetes
2019-01-02T08:48:21.2075398Z Description  : Deploy, configure, update your Kubernetes cluster in Azure Container Service by running kubectl commands.
2019-01-02T08:48:21.2075625Z Version      : 1.1.17
2019-01-02T08:48:21.2075792Z Author       : Microsoft Corporation
2019-01-02T08:48:21.2076009Z Help         : [More Information](https://go.microsoft.com/fwlink/?linkid=851275)
2019-01-02T08:48:21.2076245Z ==============================================================================
2019-01-02T08:48:25.7971481Z Found tool in cache: kubectl 1.7.0 x64
2019-01-02T08:48:25.7980222Z Prepending PATH environment variable with directory: C:\agents\HephaestusForge\_work\_tool\kubectl\1.7.0\x64
2019-01-02T08:48:25.8666111Z [command]C:\agents\HephaestusForge\_work\_tool\kubectl\1.7.0\x64\kubectl.exe apply -f C:\agents\HephaestusForge\_work\r8\a\_MyProject\kubernetes\deploy.yaml -o json
2019-01-02T08:48:26.3518703Z To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CUYYYYYVV to authenticate.

What is a workaround for this? Is it possible to have Azure DevOps authenticate itself as a server client instead of an AD client?

Answer 1

You can use the admin profile which doesn't require interactive login but unfortunately bypasses any RBAC controls you may have setup.

Vote here: https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks/suggestions/35146387-support-non-interactive-login-for-aad-integrated-c

Answer 2

You can use kubelogin for your pipeline from https://github.com/Azure/kubelogin

Here's the full example by starting at the login step, Until getting the namespace resource inside Kubernetes.

az login --service-principal -u $APP_ID -p $PASSWORD -t $TENANT

This statement more important, If you don't have existing cluster context in your ~/.kube/config file

az aks get-credentials --resource-group $RG_AKS --name $CLUSTER_NAME --overwrite-existing --file .kubeconfig-${CLUSTER_NAME}
Merged "my-aks-cluster-name" as current context in .kubeconfig-my-aks-cluster-name

Use kubelogin instead of az aks get-credential ....

export KUBECONFIG=$(pwd)/.kubeconfig-${CLUSTER_NAME}
kubelogin convert-kubeconfig -l spn
export AAD_SERVICE_PRINCIPAL_CLIENT_ID=$APP_ID
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=$PASSWORD

Now you can run kubectl without device authentication

kubectl get pods -n $NAMESPACE
NAME                       READY   STATUS    RESTARTS   AGE
myapp-be-7c8cf7d8b9-gnj2t   1/1     Running   0          103m
myapp-cms-65fd6df9c-z7752   1/1     Running   0          14m
myapp-fe-5dbcdd8d9c-fzxgh   1/1     Running   0          52m