Kubazulo K8stooling
winget install --id=K8stooling.Kubazulo -e Kubernetes Authentication Tool
Kubazulo is a Kubernetes Authentication Tool designed to implement Azure Active Directory (Azure AD) authentication seamlessly into the Kubernetes API-Server communication process. It functions as an exec plugin within the kubeconfig file, enabling secure and efficient access management.
Key Features:
- Authentication Support: Kubazulo supports both standalone and intermediate authentication flows, providing flexibility in different deployment scenarios.
- Integration with kubectl: It integrates smoothly with kubectl, allowing users to authenticate using Azure AD credentials directly within their Kubernetes workflows.
- Logging Capabilities: The tool provides detailed logging for troubleshooting and monitoring purposes, stored in the $HOME/.kube/kubazulo/application.log file.
- Configuration Flexibility: Kubazulo offers multiple configuration options, including customization of login modes, callback ports, and token endpoints, ensuring adaptability to various environments.
- Cross-Platform Compatibility: It works across different operating systems, making it versatile for diverse infrastructure setups.
Audience & Benefits: Kubazulo is ideal for organizations leveraging Azure AD as their identity provider. It simplifies the authentication process for Kubernetes clusters by eliminating the need for additional infrastructure or complex setup steps, enhancing security and operational efficiency. Users benefit from a seamless integration with existing Azure AD configurations, enabling secure access to Kubernetes resources without compromising on performance.
Kubazulo can be installed via winget, ensuring easy deployment across supported environments.
README
kubazulo
Kubeconfig Authentication Helper for Kubernetes API-Server in cunjunction with kubectl
Description
kubazulo is a client-go credential (exec) plugin implementing azure authentication. It plugs in seemless into the process of communicating to the kubernetes API-Server.
For this the kubeconfig needs to be adapted.
Setup the k8s OIDC Provider
kubazulo can be used to authenticate to general kubernetes clusters using Azure Active Directory as an OIDC provider.
-
Create an AAD Enterprise Application and the corresponding App Registration. Check the Allow public client flows checkbox. Configure groups to be included in the response. Take a note of the directory (tenant) ID as $AAD_TENANT_ID and the application (client) ID as $AAD_CLIENT_ID
-
Configure the API server with the following flags:
- Issuer URL: --oidc-issuer-url=https://sts.windows.net/$AAD_TENANT_ID/
- Client ID: --oidc-client-id=$AAD_CLIENT_ID
- Username claim: --oidc-username-claim=upn
- Group claim --oidc-groups-claim=groups
>See the kubernetes docs for optional flags.
- Configure the Exec plugin with kubelogin to use the application from the first step:
Configure for Standalone Flow (Default)
kubectl config set-credentials "kubazulo-azuread" \
--exec-api-version=client.authentication.k8s.io/v1 \
--exec-command=kubazulo \
--exec-arg=get-token \
--exec-arg=--client-id \
--exec-arg=$AAD_CLIENT_ID \
--exec-arg=--tenant-id \
--exec-arg=$AAD_TENANT_ID
Configure for Intermediate Flow (Advanced)
kubectl config set-credentials "kubazulo-azuread" \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubazulo \
--exec-arg=get-token \
--exec-arg=--client-id \
--exec-arg=$AAD_CLIENT_ID \
--exec-arg=--tenant-id \
--exec-arg=$AAD_TENANT_ID \
--exec-arg=--loginmode \
--exec-arg=interactive \
--exec-arg=--intermediate \
--exec-arg=true \
--exec-arg=--api-token-endpoint \
--exec-arg=$APIGW_ENDPOINT
>Please DON'T FORGET TO SET THE OS-Environment Variables |
- Use this credential to connect to the cluster:
Command Argument
- get-token
Command Flags (get-token)
| Parameter | Description | Mandatory | Choices | Default |
|---|---|---|---|---|
| --client-id | Azure Application-ID | :heavy_check_mark: | n/a | n/a |
| --tenant-id | Azure Tenant-ID | :heavy_check_mark: | n/a | n/a |
| --force-login | Re-Usage of Browser Session data | :x: | true, false | false |
| --loopbackport | Customize local callback listener | :x: | n/a | 58433 |
| --loginmode | Set the Authentication Flow mode | :x: | interactive, devicecode | interactive |
| --intermediate | Activate another Token fetcher Endpoint | :x: | true, false | false |
| --api-token-endpoint | Define Endpoint from where it gets Token | :x: | n/a | n/a |
Logging
kubazulo will also log the operations it is doing to the following folder
$HOME/.kube/kubazulo/application.log
References
kubectl Command Installation
https://kubernetes.io/docs/tasks/tools/
kubectl config set-context "$CLUSTER_NAME" --cluster="$CLUSTER_NAME" --user=kubazulo-azuread
kubectl config use-context "$CLUSTER_NAME"