K
Q

Interact With Azure AKS Cluster Master Node REST API

2/21/2020

My requirement here is very simple, I provisioned an AKS cluster and I would like to deploy services to this cluster dynamically through the master NODE's REST API uses a bearer token generated with a service principles credentials.

I cannot seem to find any example of this. All the tutorials end at the kubectl level which is useless for what I need.

This in theory should be doable, any help is welcomed.

NOTE: The application I would like to provision from is running python and also is running outside of the cluster.

Service Principal:

{
  "appId": "0c6f1e71-b6fe-4187-8de6-3f84a419c0db",
  "displayName": "deployer",
  "name": "http://deployer",
  "password": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx",
  "tenant": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx"
}

Service Account:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: alice-cluster-admin
  namespace: default
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: alice-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: 2210df5a-94d5-489f-9c6f-0d9d71bef61a

Python Request For Token:

import requests 

print( 
requests.get( 
 url="https://login.microsoftonline.com/sometenantname.onmicrosoft.com/oauth2/token", 
data={ 
'grant_type':'client_credentials', 
'client_id':'2210df5a-94d5-489f-9c6f-0d9d71bef61a', 
'client_secret':'xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx', 
'resource':'https://graph.microsoft.com' 
} 
).content 
)

The returned token produces a 401 error on the Kube API when requests are made

{
    "kind": "Status",
    "apiVersion": "v1",
    "metadata": {},
    "status": "Failure",
    "message": "Unauthorized",
    "reason": "Unauthorized",
    "code": 401
}
-- Illegal Operator
azure
kubernetes

Similar Questions

Kubernetes DNS not working on local Ubuntu 18.04 environment
Pass dynamic CPU resources to create kubernate in java
What is the difference between NGINX Ingress Controller and Ingress with default backend as nginx service?
Is it possible to map different pods/services to different node's interfaces in Kubernetes?

3 Answers

2/21/2020

Found a solution that will allow authentication while using RBAC capabilities. RBAC Tokens

This solution allows you to create a token and use that token through the Clusters restful API.

-- Illegal Operator
Source: StackOverflow
2/21/2020

To have the bearer token of a serviceaccount, one way is to generate the kube config file.

You can use the view_serviceaccount_kubeconfig plugin for kubectl (using krew for instance)

To generate the kube config file of service account for in bar namespace:

> kubectl view_serviceaccount_kubeconfig --namespace bar foo

Then you can get the token from the token field from the output of the command.

-- Kartoch
Source: StackOverflow
2/21/2020

The master nodes of AKS is managed by Microsoft and you can not access them to deploy anything there. You can only use Kubernetes API exposed by those master nodes to deploy workloads(pods etc) into the worker nodes.

You should use azure AD(which provides the bearer token) not azure service principles for interacting with AKS cluster's Kubernetes API Server using kubectl. Check the docs here.

After you do this use any kubectl command kubectl get pods --v=10 | grep -i bearer which would give you the bearer token. Now you can call Kubernetes REST APIs using the same token.

-- Arghya Sadhu
Source: StackOverflow