So we have our own ssh key pair (mykey.pub / mykey). User A creates a cluster using:
az aks create --resource-group XXX --name zzz --ssh-key-value c:\mykey.pub
Now user A can access the cluster using:
az aks get-credentials
Now what if user B wants to access the cluster? There is no --ssh-key-file parameter like acs - where do I need to copy the keys for az aks get-credentials to work?
Thx -
One way is to have User B access the cluster is to add User B in your Azure Subscription. Once added, User B can access the cluster in similar manner by using
az aks get-credentials -n "Name of the cluster" -g "Name of the Resourcegroup"So the ssh key is only used to create the cluster and then it can be thrown away?
You are right, in Azure ASK, the ssh key just use for create AKS nodes and ssh to them.
In Azure ACS, we need use ssh key to access k8s master VM to download credentials to your local PC.
az acs kubernetes get-credentials --resource-group=<cluster-resource-group> --name=<cluster-name>This command downloads the cluster credentials to $HOME/.kube/config, same as use scp to securely copy the file from $HOME/.kube/config on the master VM to your local machine. Like this:
mkdir $HOME/.kube
scp azureuser@<master-dns-name>:.kube/config $HOME/.kube/configAKS managed by Azure platform, get-credentials command just GET credentials from Azure, API like this:
GET https://management.azure.com/subscriptions/<your-subscription>/resourceGroups/<your-resource-group>/providers/Microsoft.ContainerService/managedClusters/<aks-name>/accessProfiles/clusterUser?api-version=2017-08-31Use Azure AD token to get that credentials, so in AKS, we can get credentials without SSH key.
By the way, you can use this command to find how it works:az aks get-credentials --resource-group <resource-group> --name <cluster-name> --debug
Also if you want to allow other members to SSH to AKS nodes, you should send your ssh keys to them:)
Hope this helps.