Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't get kubelogin to work with MSI #35

Closed
alecor191 opened this issue Aug 29, 2020 · 3 comments
Closed

Can't get kubelogin to work with MSI #35

alecor191 opened this issue Aug 29, 2020 · 3 comments

Comments

@alecor191
Copy link

I would like to run kubectl commands using a user-assigned managed identity against an AKS cluster.

What I did

I have created a user-assigned managed identity (az identity create) that I would like to use to call kubectl commands against my AKS cluster (setup with Managed ID and managed AAD enabled, cluster version is 1.18.6). Here the steps I did to get the kubeconfig file updated using kubelogin:

az aks get-credentials ...  // create a kubeconfig file with my user's info

kubelogin convert-kubeconfig -l msi --client-id <clientid-of-my-managed-identity>

kubectl get pods // This fails (see below)

The kubeconfig file looks as follows after running kubelogin:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <cert-blob>
    server: https://mycluster.hcp.westeurope.azmk8s.io:443
  name: mycluster
contexts:
- context:
    cluster: mycluster
    user: clusterUser_myresourcegroup_mycluster
  name: mycluster
current-context: mycluster
kind: Config
preferences: {}
users:
- name: clusterUser_myresourcegroup_mycluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - get-token
      - --server-id
      - <...>
      - --client-id
      - <clientid-of-my-managed-identity>
      - --login
      - msi
      command: kubelogin
      env: null

Actual Result

When running kubectl get pods command, nothing happens for several seconds and then the following output is printed to the console:

Error: failed to get token: adal: Failed to execute the refresh request. Error = 'Get http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=<...>&resource=<...>: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'
Unable to connect to the server: getting credentials: exec: executable kubelogin failed with exit code 1

I also tried to assign the MSI the following roles:

  • Azure Kubernetes Service Cluster User Role AKS role
  • cluster-admin role in the cluster as described in the kubelogin README.me

Expected Result

kubectl command executes successfully

Any suggestions what I'm missing? Would be great if you could point me to some E2E sample.
@alecor191 alecor191 reopened this Aug 29, 2020
@gr4b4z
Copy link

gr4b4z commented Aug 29, 2020

Can you call curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true?
Does it return a token? If not, probably the VM you are using doesn't have managed identity enabled.

@weinong
Copy link
Contributor

weinong commented Aug 31, 2020

as @gr4b4z mentioned, please try to curl the IMDS endpoint from within the VM. If that doesn't work, your VM probably doesn't have MSI attached.

@alecor191
Copy link
Author

Thanks all! There was indeed an issue with MSI on my VM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gr4b4z @weinong @alecor191