Azure Kubernetes Service (AKS) is a managed Kubernetes service provided by Microsoft Azure. It allows users to deploy, scale, and manage containerized applications on a Kubernetes cluster without the need to manage the underlying infrastructure. Terraform is an infrastructure as code tool that can be used to automate the deployment and management of cloud infrastructure, including AKS clusters. In this article, we will explore how to use the Kubernetes credential plugin kubelogin with Terraform to authenticate with an AKS cluster.
What is kubelogin?
Kubelogin is a Kubernetes credential plugin that allows users to authenticate with a Kubernetes cluster using a variety of identity providers. It provides a seamless and secure way to authenticate with a Kubernetes cluster without the need to store and manage Kubernetes credentials on a user’s local machine. Kubelogin supports a variety of identity providers, including Azure Active Directory (AAD), Google, and Okta.
Prerequisites
Before we begin, we need to ensure that we have the following prerequisites:
- An Azure subscription
- An AKS cluster
- Terraform installed on our local machine
- The Azure CLI installed on our local machine
- The kubelogin plugin installed on our local machine
Install kubelogin
To install the kubelogin plugin on our local machine, we can use the following command:
shellCopy code$ curl -LO https://github.com/Azure/kubelogin/releases/download/v0.0.12/kubelogin-linux-amd64.zip
$ unzip kubelogin-linux-amd64.zip
$ sudo mv kubelogin /usr/local/bin/
This will download and install the kubelogin plugin on our local machine.
Configure kubelogin with Azure Active Directory
To configure kubelogin with Azure Active Directory, we need to first create an Azure Active Directory application and assign it the required permissions. We can do this using the Azure CLI with the following commands:
shellCopy code$ az ad app create --display-name "kubelogin" --native-app --reply-urls "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#azure-active-directory"
$ az ad app permission add --id <application-id> --api 00000002-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
$ az ad app permission grant --id <application-id> --api 00000002-0000-0000-c000-000000000000
Replace <application-id>
with the application ID of the Azure Active Directory application that was created.
Next, we need to create a Kubernetes configuration file that specifies the Azure Active Directory authentication provider. We can create this file using the following command:
yamlCopy code$ cat <<EOF > kubeconfig.yaml
apiVersion: v1
kind: Config
clusters:
- name: my-aks-cluster
cluster:
server: https://<cluster-name>.azure.com
certificate-authority-data: <certificate-authority-data>
contexts:
- name: my-aks-context
context:
cluster: my-aks-cluster
user: my-aks-user
users:
- name: my-aks-user
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: kubelogin
args:
- get-token
- --auth-provider=azure
- --auth-provider-arg=client_id=<application-id>
- --auth-provider-arg=tenant_id=<tenant-id>
EOF