I am using a main service to authenticate with the Kubernetes API in an environment of continuous integration.
My cluster is set up and enabled to integrate with Azure AD and everything works fine for over a year.
Currently I created a main service that has permission Azure Kubernetes Service Cluster User Role
to my AKS.
Right at the azure cli normally and I can get kubeconfig to start interacting with the Kubernetes API.
az login --service-principal -u <spn_id> -p <spn_secret>--tenant XXXXXXX
az aks get-credentials --name xxxx --resource-group xxxx --subscription xxxx --overwrite-existing
Then I call kube login to convert my kubeconfig to the expected model.
kubelogin convert-kubeconfig --client-id <spn_id> --client-secret <spn_secret> --tenant-id XXXXXXX --legacy -l spn
At this point, I already have the ClusterRoleBinding created and using the ObjectId
of this SPN.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sp-role-binding
subjects:
- kind: User
apiGroup: rbac.authorization.k8s.io
name: <spn_object_id>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
My kubeconfig after conversion is something like:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: xxxxxx
server: https://<uri>:443
name: xxxxxx
contexts:
- context:
cluster: xxxxxx
user: clusterUser_xxxxxx
name: xxxxxx
current-context: xxxxxx
kind: Config
preferences: {}
users:
- name: clusterUser_xxxxxx
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- get-token
- --environment
- AzurePublicCloud
- --server-id
- <server_id>
- --client-id
- <spn_id>
- --tenant-id
- XXXXXXX
- --legacy
- --client-secret
- <spn_secret>
- --login
- spn
command: kubelogin
env: null
After that, having a simple command to search for running pods and object always unauthorized.
I0312 13:23:15.244292 27174 round_trippers.go:423] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.18.8 (linux/amd64) kubernetes/9f2892a" 'https://<uri>:443/api?timeout=32s'
I0312 13:23:16.993746 27174 round_trippers.go:443] GET https://<uri>o:443/api?timeout=32s 401 Unauthorized in 1749 milliseconds
I0312 13:23:16.993817 27174 round_trippers.go:449] Response Headers:
I0312 13:23:16.993834 27174 round_trippers.go:452] Audit-Id: xxxxxxx
I0312 13:23:16.993847 27174 round_trippers.go:452] Cache-Control: no-cache, private
I0312 13:23:16.993859 27174 round_trippers.go:452] Content-Type: application/json
I0312 13:23:16.993870 27174 round_trippers.go:452] Content-Length: 129
I0312 13:23:16.993881 27174 round_trippers.go:452] Date: Fri, 12 Mar 2021 13:23:16 GMT
I0312 13:23:16.996236 27174 request.go:1068] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
I0312 13:23:16.998572 27174 cached_discovery.go:121] skipped caching discovery info due to Unauthorized
In contrast, if I try to generate the token manually by executing the following command, I get the token normally.:
kubelogin get-token --environment AzurePublicCloud --server-id <server_id> --client-id <spn_id> --tenant-id XXXXXXX --client-secret <spn_secret> --login spn
Am I doing something wrong? Is there a step I need to take that I didn't take? I am looking for help to solve this problem.