I am using kubectl to control Kubernetes Service on Azure (scaling, getting pod status). Is it safe to call kubectl automatically in a script on production and not worry that the credentials will expire?
This is what I did once on the production server (required manual login via web page) (os is Windows Server 2016):
az login
az account set --subscription="S"
az aks get-credentials --resource-group R --name CThis is what is being run in a script/application:
kubectl get podsCan I be sure the last call will just work from now on (and will not require manual login on a sunday night)?
az aks get-credentials basically generates a kubernetes config file for you in ~/.kube/config which includes cluster information and a client certificate to access the kubernetes api server. kubectl uses this configuration file by default.
You can also use a different config file location. If your script has access to this config file, it should just work.
find below recommendations
To control the Azure Kubernetes service, you need permission to perform the actions. So the core of safety is permission. You can use the service principal with the right permission you need without interaction. So the az login could be changed into this:
az login --service-principal -u service_principal_app_id -p service_principal_secretTo get the credentials to access the cluster, there two permission:
Azure Kubernetes Service Cluster Admin Role or Azure Kubernetes Service Cluster User Role
You can get more details here and decide which to use. You can set the expiry date for the service principal, take a look at another issue.