The superpowers of Kubernetes (K8s) is acknowledged by start-ups and enterprises alike .With the increased adoption of K8s, the birth of kubernetes tools & automation are on the rise. Having the ability to programmatically get visibility of K8s cluster is one of the critical stepping stones to create such tools. To make it more complex , every managed K8s provider have bespoke authentication and authorisation mechanisms. This blog discusses on how to access a managed kubernetes cluster programmatically and to facilitate this example we have taken Azure AKS as our K8s provider.
To begin with , K8s provide multiple methods of authentication mechanisms which include token authentication , certificate based authentication etc. All such Auth mechanisms are supported by Azure and other K8s providers by default. However it is highly unlikely that any organisation with security as a priority would allow such direct K8s cluster level access for your tool / app. Hence, it is imperative that the application has to authenticate against the best practices recommended by the K8s provider.
In order to integrate your app with Azure AKS and implement safe authentication mechanism without a user in the loop, we shall be using Oauth2 ‘client credentials’ flow. It allows you to access hosted resources by using the identity of an application. This type of grant is commonly used for server-to-server interactions that runs in the background, without immediate interaction with a user. As a prerequisite you should have an Azure free tire account and have beginner knowledge of Azure, REST etc.
Overview of Steps
1. Create an Azure AD group
2. Create / Update AKS Cluster to enable access for the AD Group users
3. Provide, ‘Cluster User’ level access to the AD Group
4. Register an App with AD and link the app with the AD Group.
STEP 1
a. Login to you Azure CLI and create a new Azure AD group for your cluster administrators, use the following command [ vectorAppGroup is a name for your AD group ]
b. Create an Azure resource group with the below command.
Now you should see your AD group appear in Azure GUI .
STEP 2
a. Create / Update AKS Cluster to enable access for the AD Group users with the below command
Now if you try az aks get-credentials , it should retrun error as no users are there in the group
b. Your AKS cluster is now available with updated information , confirm accessibility to the cluster with below steps . This step is indeed optional.
Create a user and add him as a member to the created AD group and attempt to login with that user while creating , you will get a password which needs to be used for further authentication of the user.
STEP 3
Provide, Cluster-User level access to the AD Group
a. Query the resource group
STEP 4
Register an App with AD and link the app with the AD Group
a. Use Azure GUI > Active Directory to register an App . This App will be the touch point for your application to interact with Azure as well as your AKS assets. This registered App in Azure shall be the reflection of your application as far as AKS is concerned.
Note down the values highlighted in the box. These details are needed for establishing a connection with the AKS cluster.
While creating an App , Azure implicitly creates a Service Principle which needs to be linked to the AD Group later.
b. The above steps shows how to generate client secret and the secret has to be noted down as it is not retrievable at a later time.
Note that in the above image , the highlighted box shows the addition of App as a member to the AD Group.
c. Navigate to config file using Azure CLI which is available under /.kube/config and make note of the server url, api server Id and tenant Id. In essence , from all the above steps you should now be having the following details that are needed for establishing a connection with the AKS cluster.
With the available values , you should be able to connect to AKS cluster.
Test Connection
In order to access your resources , you should make a call to Azure Graph APIs and receive a Bearer token which will be used to authenticate your subsequent calls to resources. Azure generated auth tokens will always have a stipulated life , and hence it is a best practice not to store your token anywhere.
In principle , (Microsoft Authentication Library) MSAL library provided by Microsoft can be used to acquire tokens from the Microsoft identity platform endpoint in order to authenticate users and access secured web APIs. The below steps show which all endpoints play part of the action and one may choose to interact with these endpoints directly based on requirements.
In the above (1st) step , you access Microsoft graph API to obtain the access token which will be used in 2nd step. Make note of the unique URL which has your tenant Id embedded. The rest of the details like client_id , client_secret , grant_type , scope needs to be provided as POST’s body. the grant type specifies the type of authentication to be used and the scope is the extend of authority you would need on the resource for which the token is being requested. The bearer token is valid only for a period of an hour.
Now you can access your api server url and use the obtained bearer token to authenticate. Voilà !!! your app can now access AKS seamlessly.
References
https://docs.microsoft.com/en-us/azure/aks/managed-aad
https://docs.microsoft.com/en-us/azure/aks/control-kubeconfig-access
https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac
https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#client-credentials
https://docs.microsoft.com/en-us/azure/aks/concepts-identity#azure-active-directory-integration
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-acquire-cache-tokens
https://docs.microsoft.com/en-us/azure/aks/concepts-identity#azure-active-directory-integration