Kubeconfig Authentication Helper for Kubernetes API-Server in cunjunction with kubectl
kubazulo is a client-go credential (exec) plugin implementing azure authentication. It plugs in seemless into the process of communicating to the kubernetes API-Server.
For this the kubeconfig needs to be adapted.
kubazulo can be used to authenticate to general kubernetes clusters using Azure Active Directory as an OIDC provider.
-
Create an AAD Enterprise Application and the corresponding App Registration. Check the Allow public client flows checkbox. Configure groups to be included in the response. Take a note of the directory (tenant) ID as $AAD_TENANT_ID and the application (client) ID as $AAD_CLIENT_ID
-
Configure the API server with the following flags:
- Issuer URL: --oidc-issuer-url=https://sts.windows.net/$AAD_TENANT_ID/
- Client ID: --oidc-client-id=$AAD_CLIENT_ID
- Username claim: --oidc-username-claim=upn
- Group claim --oidc-groups-claim=groups
See the kubernetes docs for optional flags.
- Configure the Exec plugin with kubelogin to use the application from the first step:
kubectl config set-credentials "kubazulo-azuread" \
--exec-api-version=client.authentication.k8s.io/v1 \
--exec-command=kubazulo \
--exec-arg=get-token \
--exec-arg=--client-id \
--exec-arg=$AAD_CLIENT_ID \
--exec-arg=--tenant-id \
--exec-arg=$AAD_TENANT_ID
kubectl config set-credentials "kubazulo-azuread" \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubazulo \
--exec-arg=get-token \
--exec-arg=--client-id \
--exec-arg=$AAD_CLIENT_ID \
--exec-arg=--tenant-id \
--exec-arg=$AAD_TENANT_ID \
--exec-arg=--loginmode \
--exec-arg=interactive \
--exec-arg=--intermediate \
--exec-arg=true \
--exec-arg=--api-token-endpoint \
--exec-arg=$APIGW_ENDPOINT
Please DON'T FORGET TO SET THE OS-Environment Variables |
- Use this credential to connect to the cluster:
- get-token
| Parameter | Description | Mandatory | Choices | Default |
|---|---|---|---|---|
| --client-id | Azure Application-ID | ✔️ | n/a | n/a |
| --tenant-id | Azure Tenant-ID | ✔️ | n/a | n/a |
| --force-login | Re-Usage of Browser Session data | ❌ | true, false | false |
| --loopbackport | Customize local callback listener | ❌ | n/a | 58433 |
| --loginmode | Set the Authentication Flow mode | ❌ | interactive, devicecode | interactive |
| --intermediate | Activate another Token fetcher Endpoint | ❌ | true, false | false |
| --api-token-endpoint | Define Endpoint from where it gets Token | ❌ | n/a | n/a |
kubazulo will also log the operations it is doing to the following folder
$HOME/.kube/kubazulo/application.log
https://kubernetes.io/docs/tasks/tools/
kubectl config set-context "$CLUSTER_NAME" --cluster="$CLUSTER_NAME" --user=kubazulo-azuread
kubectl config use-context "$CLUSTER_NAME"