配置了 Azure AD RBAC 的 Azure DevOp Pipelines 身份验证到 AKS? [英] Azure DevOp Pipelines authentication to AKS with Azure AD RBAC configured?

问题描述

我们已将 Azure Kubernetes 集群配置为使用 Azure Active Directory RBAC.这意味着在使用 kubectl 时，我们需要首先以 AD 用户身份进行身份验证(通常通过 Web 浏览器手动完成设备代码身份验证来完成).我们几乎完全按照 MSDN 文章将 Azure Active Directory 与 Azure 集成Kubernetes 服务.

We have configured our Azure Kubernetes Clusters to use Azure Active Directory RBAC. This means when using kubectl we need to first authenticate as an AD user (usually done through manually completing device code authentication via the web browser). We have configured this almost exactly as per the MSDN article Integrate Azure Active Directory with Azure Kubernetes Service.

问题是 Azure DevOp Pipelines 中的 Kubernetes 构建/发布任务现在也需要此身份验证，例如当我们运行 kubectl apply 时:

The issue is that this authentication is now also required for Kubernetes build/release tasks in Azure DevOp Pipelines, for example when we run kubectl apply:

2019-01-02T08:48:21.2070286Z ##[section]Starting: kubectl apply
2019-01-02T08:48:21.2074936Z ==============================================================================
2019-01-02T08:48:21.2075160Z Task         : Deploy to Kubernetes
2019-01-02T08:48:21.2075398Z Description  : Deploy, configure, update your Kubernetes cluster in Azure Container Service by running kubectl commands.
2019-01-02T08:48:21.2075625Z Version      : 1.1.17
2019-01-02T08:48:21.2075792Z Author       : Microsoft Corporation
2019-01-02T08:48:21.2076009Z Help         : [More Information](https://go.microsoft.com/fwlink/?linkid=851275)
2019-01-02T08:48:21.2076245Z ==============================================================================
2019-01-02T08:48:25.7971481Z Found tool in cache: kubectl 1.7.0 x64
2019-01-02T08:48:25.7980222Z Prepending PATH environment variable with directory: C:agentsHephaestusForge\_work\_toolkubectl1.7.0x64
2019-01-02T08:48:25.8666111Z [command]C:agentsHephaestusForge\_work\_toolkubectl1.7.0x64kubectl.exe apply -f C:agentsHephaestusForge\_work
8a\_MyProjectkubernetesdeploy.yaml -o json
2019-01-02T08:48:26.3518703Z To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CUYYYYYVV to authenticate.

对此有什么解决方法?是否可以让 Azure DevOps 将自身身份验证为服务器客户端而不是 AD 客户端?

What is a workaround for this? Is it possible to have Azure DevOps authenticate itself as a server client instead of an AD client?

推荐答案

您可以使用不需要交互式登录的管理员配置文件，但遗憾的是会绕过您可能已设置的任何 RBAC 控件.

You can use the admin profile which doesn't require interactive login but unfortunately bypasses any RBAC controls you may have setup.

在这里投票:https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks/suggestions/35146387-support-non-interactive-login-for-aad-integrated-c

这篇关于配置了 Azure AD RBAC 的 Azure DevOp Pipelines 身份验证到 AKS?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！