kubectl-aad-login

module

v0.0.2 Latest Latest Go to latest Published: Feb 22, 2020 License: MIT

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/weinong/kubectl-aad-login

Links

Open Source Insights

README ¶

It is a kubectl plugin supporting various OAuth login flows on Azure AD which are not currently supported in kubectl. It populates the kubeconfig file with acquired AAD token. It will refresh access token when the access token has expired. Currently, it supports:

device code flow with fix to https://github.com/kubernetes/kubernetes/issues/86410 such that audience claim does not have spn: prefix (supports AKS AADv1 and v2, this change is required for AKS AADv2 unless you are on kubectl versions TBD...)
non-interactive login using service principal credential (supports AKS AADv2 only)
non-interactive login using user principal credential (supports AKS AADv1 and v2)

The environment being tested is AKS AAD and AKS AADv2 (public preview in March 2020)

Install

Download the plugin https://github.com/weinong/kubectl-aad-login/releases/download/v0.0.1/kubectl-aad-login.zip

Copy out the binary to directory under search path

Build

GO111MODULE="on" go build cmd/kubectl-aad-login.go
mv kubectl-aad-login /path/to/go/bin

How to use

Device code flow

It's similar to current kubectl implementation except that the resulting AAD token will have proper audience claim with "spn:" prefix It addresses https://github.com/kubernetes/kubernetes/issues/86410

kubectl aad login

non-interactive login using service principal credential

Note: it will only work on AKS AAD v2

export AAD_SERVICE_PRINCIPAL_CLIENT_ID=<Service-Principal-Client-ID>
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<Service-Principal-Client-Secret>

kubectl aad login --service-principal

non-interactive login using user principal credential. It uses Resource Owner Password Credential flow

Note: ROPC is not supported in hybrid identity federation scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity providers, Azure AD is not able to test the username and password against that identity provider. Pass-through authentication is supported with ROPC, however. It also does not work when MFA policy is enabled Personal accounts that are invited to an Azure AD tenant can't use ROPC.

export AAD_USER_PRINCIPAL_USERNAME=foo@bar.com
export AAD_USER_PRINCIPAL_PASSWORD=<password>

kubectl aad login --user-principal

force refresh

Append --force to disregard refresh token and always initiates login flow

Directories ¶

Path	Synopsis
cmd
pkg
cmd

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

README ¶