Connecting to an AKS Cluster Non Interactivity — Part 3

Client and Server Tenant Application

To enable Azure Active Directory integration in your AKS cluster, we require two Tenant Applications, Client and Server. Both of which are registered with the Microsoft Identity Platform.

AZ AKS CLI and Kubectl Flow

Let’s look at the flow, when you get what I like to call the skeleton Kubeconfig file via the az cli, and then get your Identity section in the Kubeconfig file via kubectl.

  1. First up you will run the az aks get-credentials … command to get the skeleton kubeconfig file. If you look at your kubeconfig file now, you will notice it’s missing your user identity fields (access-token, refresh-token, expires-in and expires-on)
  2. If there is no existing access-token in the kubeconfig file for this cluster, kubectl will call the device code flow (https://github.com/kubernetes/client-go/tree/master/plugin/pkg/client/auth/azure) against the Microsoft Identity Platform. As part of this flow, kubectl will use the client-id as the client and the apiserver-id as the resource we want to access.
  3. This device code endpoint will return information including the url to be displayed to the user and a code that the user will input after navigating to the url. The code will be used to identify the session initiated via the /devicecode endpoint. The user must now open the url and enter the device code.
  4. The user will now be prompted to authenticate their identity via the client application, like in our earlier examples where we had to enter our username and password
  5. In the meantime, kubectl will continuously poll the tenant oauth token endpoint to check if a token has been issued for the device code and client application.
  6. Once the user has successfully signed in, the polling kubectl code will successfully get an access token, refresh token and token expiry information and write it to the kubeconfig file alongside the auth provider section.
  7. Now kubectl will continue it’s call to the api server.
  8. The webhook auth then will check the ID token passed to it. It will use the server app id and secret we talked about earlier to query the Microsoft Identity Platform to verify users JWT token and also get a list of all the AD groups the user is part of.
  9. Using this information coupled with the kubernetes roles and rolebindings, kubernetes will determine if you have access to the namespace and/or resource in question in the kubernetes cluster

Kubeconfig Identity Items

So let’s just finish this Part by looking at the Identity Items in the Kubeconfig file.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adrian Hynes

Adrian Hynes

48 Followers

Cloud Platform Architect. Opinions and articles on medium are my own.