Hi!
Since August 2021, it’s now possible to scan the vulnerabilities of your Azure Container Registries protected with an Azure Private Link with « Azure Defender for Container Registries ».
Few months ago, I have written an article (in French) to explain you how you can enable « Azure Defender for Container Registries »: Azure Container Registry | Scanner vos images de containers
Maxime.
Hi!
Today when you need to access a private cluster, you must do so within the cluster virtual network or a peered network or client machine. This usually requires your machine to be connected via VPN or Express Route to the cluster virtual network or a jumpbox to be created in the cluster virtual network.
AKS run command allows you to remotely invoke commands in an AKS cluster through the AKS API. This feature provides an API that allows you to, for example, execute just-in-time commands from a remote laptop for a private cluster. This can greatly assist with quick just-in-time access to a private cluster when the client machine is not on the cluster private network while still retaining and enforcing the same RBAC controls and private API server.
az feature register --namespace "Microsoft.ContainerService" --name "RunCommandPreview"
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/RunCommandPreview')].{Name:name,State:properties.state}"
az provider register --namespace Microsoft.ContainerService
az aks command invoke -g <resourceGroup> -n <clusterName> -c "kubectl get pods -n kube-system"
Maxime.
Hi!
Kubelogin is a client-go credential plugin that implements Azure AD authentication. Kubernetes and its CLI, kubectl, are written in Go and client-go is a package or library that allows you to talk to Kubernetes from the Go language. Client-go supports credentials plugins to integrate with authentication protocols that are not supported by default by kubectl.
Even with an AAD managed AKS cluster, kubelogin allows us to do non-interactive login using a Service Principal or in the latest release — even using the Azure CLI token making it really ideal to use in CI/CD scenarios.
Create a service principal or use an existing one.
az ad sp create-for-rbac --skip-assignment --name myAKSAutomationServicePrincipal
The output is similar to the following example.
{
"appId": "<spn client id>",
"displayName": "myAKSAutomationServicePrincipal",
"name": "http://myAKSAutomationServicePrincipal",
"password": "<spn secret>",
"tenant": "<aad tenant id>"
}
Query your service principal AAD Object ID by using the command below.
az ad sp show --id <spn client id> --query "objectId"
To configure the role binding on Azure Kubernetes Service, the user in rolebinding should be the AAD Object ID.
For example,
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: sp-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <service-principal-object-id>
Use Kubelogin to convert your kubeconfig
export KUBECONFIG=/path/to/kubeconfig kubelogin convert-kubeconfig -l spn export AAD_SERVICE_PRINCIPAL_CLIENT_ID=<spn client id> export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<spn secret> kubectl get nodes
https://github.com/Azure/kubelogin
Maxime.