Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adjusted Service principal login flow doc steps #18

Merged
merged 2 commits into from
Jun 24, 2020
Merged

adjusted Service principal login flow doc steps #18

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e7deee5
adjusted Service principal login flow
TomGeske Jun 23, 2020
110457d
Update README.md
weinong Jun 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 35 additions & 7 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,17 +34,30 @@ If you are using kubeconfig from AKS AADv1 clusters, `convert-kubeconfig` comman

#### Service principal login flow (non interactive)

> On AKS, it will only work with managed AAD
> On AKS, it will only work with managed AAD. Service principal can be member of maximum 250 AAD groups.

Create a service principal or use an existing one.

```sh
export KUBECONFIG=/path/to/kubeconfig
az ad sp create-for-rbac --skip-assignment --name myAKSAutomationServicePrincipal
```
The output is similar to the following example.

kubelogin convert-kubeconfig -l spn
```json

export AAD_SERVICE_PRINCIPAL_CLIENT_ID=<spn client id>
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<spn secret>
{
"appId": "<spn client id>",
"displayName": "myAKSAutomationServicePrincipal",
"name": "http://myAKSAutomationServicePrincipal",
"password": "<spn secret>",
"tenant": "<aad tenant id>"
}
```

kubectl get no
Query your service principal AAD Object ID by using the command below.

```sh
az ad sp show --id <spn client id> --query "objectId"
```

To configure the role binding on Azure Kubernetes Service, the user in rolebinding should be the AAD Object ID.
Expand All @@ -55,7 +68,7 @@ For example,
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: msi-role-binding
name: sp-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
Expand All @@ -66,6 +79,21 @@ subjects:
name: <service-principal-object-id>
```

Use Kubelogin to convert your kubeconfig

```sh
export KUBECONFIG=/path/to/kubeconfig

kubelogin convert-kubeconfig -l *spn*

export AAD_SERVICE_PRINCIPAL_CLIENT_ID=<spn client id>
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<spn secret>

kubectl get no
```



#### User Principal login flow (non interactive)

> Note: ROPC is not supported in hybrid identity federation scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity providers, Azure AD is not able to test the username and password against that identity provider. Pass-through authentication is supported with ROPC, however.
Expand Down