[英]How to programmatically authenticate to Azure Kubernetes (AKS)
I'm having an AKS cluster setup and recently enabled the Azure Active Directory integration.我正在设置 AKS 群集,最近启用了 Azure Active Directory 集成。 I'm having a C# application that is running outside of the Kubernetes cluster that is creating Kubernetes Jobs.我有一个 C# 应用程序在 Kubernetes 集群之外运行,该集群正在创建 Kubernetes 作业。 Therefore, I'm using the C# KubernetesClient
package which has been working fine before (and still is).因此,我使用的是 C# KubernetesClient
package,它之前一直运行良好(现在仍然如此)。 However, it is using a so called "local account" (so the local admin user) which is not integrated with the Active Directory.但是,它使用了一个未与 Active Directory 集成的所谓“本地帐户”(即本地管理员用户)。 My goal is to completely deactivate the local accounts in the long run, meaning I need a different way of authenticating.从长远来看,我的目标是完全停用本地帐户,这意味着我需要一种不同的身份验证方式。 As the Kubernetes Cluster is now fully integrated with the AAD, I preferrably want to use a service principal for authentication.由于 Kubernetes 集群现已与 AAD 完全集成,因此我最好使用服务主体进行身份验证。
Microsoft is not providing any documentation on how to achieve this and the support hasn't been particular helpful. Microsoft 没有提供任何有关如何实现此目的的文档,并且支持也不是特别有用。
You need to manually get an Access Token for the Kubernetes environment.您需要手动获取 Kubernetes 环境的访问令牌。 This can be done with the following code:这可以通过以下代码完成:
var credFactory = new AzureCredentialsFactory();
var credentials = credFactory.FromServicePrincipal(
"CLIENT_ID",
"CLIENT_SECRET",
"TENANT_ID",
AzureEnvironment.AzureGlobalCloud
);
var azure = Microsoft.Azure.Management.Fluent.Azure
.Authenticate(credentials)
.WithSubscription("SUBSCRIPTION_ID");
var kubeConfigBytes = azure.KubernetesClusters.GetUserKubeConfigContents(
"K8S_RESOURCE_GROUP",
"K8S_CLUSTER_NAME"
);
var kubeConfigRaw = KubernetesClientConfiguration.LoadKubeConfig(new MemoryStream(kubeConfigBytes));
var authProvider = kubeConfigRaw.Users.Single().UserCredentials.AuthProvider;
if (!authProvider.Name.Equals("azure", StringComparison.OrdinalIgnoreCase))
throw new Exception("Invalid k8s auth provider!");
// Token Helper is a small helper utility that I use instead of MSAL
// This method is doing a POST call to https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
var token = TokenHelper.GetTokenByClientCredentials(
"CLIENT_ID",
"CLIENT_SECRET",
"TENANT_ID",
"6dae42f8-4368-4678-94ff-3960e28e3630/.default" // This scope is always the same. It's the "Azure Kubernetes Service AAD Server" app from Microsoft. (az ad sp show --id 6dae42f8-4368-4678-94ff-3960e28e3630)
).GetAwaiter().GetResult();
authProvider.Config["access-token"] = token.AccessToken;
authProvider.Config["expires-on"] = DateTimeOffset.UtcNow.AddSeconds(token.ExpiresIn).ToUnixTimeSeconds().ToString();
var kubeConfig = KubernetesClientConfiguration.BuildConfigFromConfigObject(kubeConfigRaw);
var kubernetes = new Kubernetes(kubeConfig);
Please keep in mind that the token expires every hour, so you need to creat a new Kubernetes
instance regularly.请记住,令牌每小时到期一次,因此您需要定期创建一个新的Kubernetes
实例。 Also note that this only takes care of the Authentication , not Authorization .另请注意,这只负责Authentication ,而不是Authorization 。 Meaning, you will be able to login, but your service principal might not be allowed to read/edit any kubernetes resources.这意味着,您将能够登录,但可能不允许您的服务主体读取/编辑任何 kubernetes 资源。 For that to work you need to assign a Role
or CluterRole
to your service principal as described HERE .为此,您需要将Role
或CluterRole
分配给您的服务主体,如此处所述。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.