Connecting to an AKS Cluster Non Interactivity — Part 3

Client and Server Tenant Application

AZ AKS CLI and Kubectl Flow

  1. First up you will run the az aks get-credentials … command to get the skeleton kubeconfig file. If you look at your kubeconfig file now, you will notice it’s missing your user identity fields (access-token, refresh-token, expires-in and expires-on)
  2. If there is no existing access-token in the kubeconfig file for this cluster, kubectl will call the device code flow (https://github.com/kubernetes/client-go/tree/master/plugin/pkg/client/auth/azure) against the Microsoft Identity Platform. As part of this flow, kubectl will use the client-id as the client and the apiserver-id as the resource we want to access.
  3. This device code endpoint will return information including the url to be displayed to the user and a code that the user will input after navigating to the url. The code will be used to identify the session initiated via the /devicecode endpoint. The user must now open the url and enter the device code.
  4. The user will now be prompted to authenticate their identity via the client application, like in our earlier examples where we had to enter our username and password
  5. In the meantime, kubectl will continuously poll the tenant oauth token endpoint to check if a token has been issued for the device code and client application.
  6. Once the user has successfully signed in, the polling kubectl code will successfully get an access token, refresh token and token expiry information and write it to the kubeconfig file alongside the auth provider section.
  7. Now kubectl will continue it’s call to the api server.
  8. The webhook auth then will check the ID token passed to it. It will use the server app id and secret we talked about earlier to query the Microsoft Identity Platform to verify users JWT token and also get a list of all the AD groups the user is part of.
  9. Using this information coupled with the kubernetes roles and rolebindings, kubernetes will determine if you have access to the namespace and/or resource in question in the kubernetes cluster

Kubeconfig Identity Items

--

--

--

Cloud Platform Architect. Opinions and articles on medium are my own.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Run Bolt with Docker and Terraform with Alibaba Cloud

GCP pub/sub Architecture Understanding

How I Implemented Test-Driven Development on My Team’s Project

26. Rusted Stairs and Shader Meta-Programming

More Part 1: Ideation

Learning about ansible

FizzBuzz: Multiple ways to implement and their performance

Zero Trust GitOps

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adrian Hynes

Adrian Hynes

Cloud Platform Architect. Opinions and articles on medium are my own.

More from Medium

Iterative way of doing Pre-Order Traversal of a Binary Tree using STACK in C++

Linux Kernel Debugging and Module Programming

Getting random records from MongoDb with Mongoose.js

Everything You Need to Know About Android 12