Skip to content

licenseware/azcli-aks

BranchesTags

Repository files navigation

Table of Contents generated with DocToc

AZ CLI for AKS

ghcr-size ghcr-tags

This Docker image allows for a disposable container to run kubectl commands against an AKS cluster. The image is based on the official mcr.microsoft.com/azure-cli image.

Service Principal Creation

If you want to see the TF code that created the Service Principal, expand the details below.

Expand for details 
data "azuread_client_config" "current" {}

data "azurerm_kubernetes_cluster" "this" {
  name                = "my-aks-cluster"
  resource_group_name = "my-rg"
}


resource "azuread_application" "this" {
  display_name = "my-aks-app"
  owners       = [data.azuread_client_config.current.object_id]
}

resource "azuread_service_principal" "this" {
  app_role_assignment_required = false
  client_id                    = azuread_application.this.client_id
  owners                       = [data.azuread_client_config.current.object_id]
}

resource "time_rotating" "this" {
  rotation_days = 7
}

resource "azuread_service_principal_password" "this" {
  service_principal_id = azuread_service_principal.this.object_id
  rotate_when_changed = {
    rotation = time_rotating.this.id
  }
}

resource "azurerm_role_assignment" "aks_rbac" {
  principal_id         = azuread_service_principal.this.object_id
  role_definition_name = "Azure Kubernetes Service Cluster User Role"
  scope                = data.azurerm_kubernetes_cluster.this.id
}

output "client_id" {
  value = azuread_service_principal.this.client_id
}

output "client_secret" {
  value     = azuread_service_principal_password.this.value
  sensitive = true
}

Usage

# entrypoint.sh
export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
export ARM_CLIENT_SECRET="12345678-0000-0000-0000-000000000000"
export ARM_TENANT_ID="10000000-0000-0000-0000-000000000000"
export ARM_SUBSCRIPTION_ID="20000000-0000-0000-0000-000000000000"

export AKS_CLUSTER_NAME=something
export AKS_RESOURCE_GROUP_NAME=something-else

az login --service-principal \
  -u "${ARM_CLIENT_ID}" \
  -p "${ARM_CLIENT_SECRET}" \
  --tenant ${ARM_TENANT_ID}
az aks get-credentials \
  --name ${AKS_CLUSTER_NAME} \
  --resource-group ${AKS_RESOURCE_GROUP_NAME}
az account set --subscription ${ARM_SUBSCRIPTION_ID}

kubelogin convert-kubeconfig \
  --context ${AKS_CLUSTER_NAME} \
  --client-id "${ARM_CLIENT_ID}" \
  --tenant-id "${ARM_TENANT_ID}" \
  --client-secret "${ARM_CLIENT_SECRET}" \
  -l spn # <-- service principal


# This requires sufficient Kubernetes RBAC
kubectl get pods
docker run --rm \
  --name azcli \
  -v $(pwd):/app:ro \
  ghcr.io/licenseware/azcli-aks:2.57.0 \
  bash -eux /app/entrypoint.sh

FAQ

Why not use the azure-cli docker image instead?

It does not have the kubelogin installed, which is the authenticator extension that allows for all the kubectl commands to work.

Beside the official AZ CLI image doesn't have kubectl installed. This image has both.

About

AZ CLI & kubectl both in one Docker image. Disposable and reusable deployment tool.

Topics

docker deployment continuous-delivery azure continuous-deployment azure-cli pod kubectl aks azure-aks az-cli

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

5 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 4

v2.60.0 Latest
Nov 11, 2024
+ 3 releases

Packages

 
 
 

Contributors 5

Languages