Azure DevOp Pipelines authentication to AKS with Azure AD RBAC configured?
You can use kubelogin for your pipeline from https://github.com/Azure/kubelogin
Here's the full example by starting at the login step, Until getting the namespace resource inside Kubernetes.
az login --service-principal -u $APP_ID -p $PASSWORD -t $TENANT
This statement more important, If you don't have existing cluster context in your ~/.kube/config
file
az aks get-credentials --resource-group $RG_AKS --name $CLUSTER_NAME --overwrite-existing --file .kubeconfig-${CLUSTER_NAME}
Merged "my-aks-cluster-name" as current context in .kubeconfig-my-aks-cluster-name
Use kubelogin instead of az aks get-credential ....
export KUBECONFIG=$(pwd)/.kubeconfig-${CLUSTER_NAME}
kubelogin convert-kubeconfig -l spn
export AAD_SERVICE_PRINCIPAL_CLIENT_ID=$APP_ID
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=$PASSWORD
Now you can run kubectl without device authentication
kubectl get pods -n $NAMESPACE
NAME READY STATUS RESTARTS AGE
myapp-be-7c8cf7d8b9-gnj2t 1/1 Running 0 103m
myapp-cms-65fd6df9c-z7752 1/1 Running 0 14m
myapp-fe-5dbcdd8d9c-fzxgh 1/1 Running 0 52m
You can use the admin profile which doesn't require interactive login but unfortunately bypasses any RBAC controls you may have setup.
Vote here: https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks/suggestions/35146387-support-non-interactive-login-for-aad-integrated-c