Share via

Can we add new user in aks nodes(in existing cluster) and set password?

Vignesh Murugan 126 Reputation points
2021-09-14T07:04:53.163+00:00

Hi all,

We are trying to create an user(non-root) in AKS nodes and trying to set password. But we are getting permission denied error while set the password. Could you please assist us on this.

131789-image.png

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,456 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SRIJIT-BOSE-MSFT 4,346 Reputation points Microsoft Employee
    2021-09-15T16:26:21.627+00:00

    @Vignesh Murugan , Thank you for sharing your concern. While we are investigating the possibility of using passwd on AKS nodes, here are two workarounds as of now:

    1. You can add the sha512 encrypted password manually to the /etc/shadow file.
      i. You can get the sha512 encrypted password using openssl passwd -6 -stdin ,then type/paste your password, then ENTER, then Ctrl+D ("end of file"). No password will be seen in process list and no password will be saved into shell history.
      ii. You can now copy the encrypted text.
      • Edit the /etc/shadow file as following:
      • Go to the line that says something like demo:!:xxxxxx:x:xx:xx:xx::
      • Replace only the ! symbol with the copied encrypted text.
        1. If the AKS node pool is of type VirtualMachineScaleSets then: CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group <Resource-Group-Name> --name <Cluster-Name> --query nodeResourceGroup -o tsv)
          SCALE_SET_NAME=$(az vmss list --resource-group $CLUSTER_RESOURCE_GROUP --query '[0].name' -o tsv)
          az vmss extension set \
          --resource-group $CLUSTER_RESOURCE_GROUP \
          --vmss-name $SCALE_SET_NAME \
          --name VMAccessForLinux \
          --publisher Microsoft.OSTCExtensions \
          --version 1.4 \
          --protected-settings "{\"username\":\"demo\", \"password\":\"Your-Password\"}"
          az vmss update-instances --instance-ids '*' \
          --resource-group $CLUSTER_RESOURCE_GROUP \
          --name $SCALE_SET_NAME
          Note: This will update the user credentials on all the nodes. If you want to update only one node, please replace the * in az vmss update-instances --instance-ids '*' with the Virtual Machine Scale Set instance number (instance numbers range between 0 and N-1 where N is the total number of scale set instances)
      Else, if the AKS node pool is of type AvailabilitySet then: 
      CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group <Resource-Group-Name> --name <Cluster-Name> --query nodeResourceGroup -o tsv)  
 az vm user update  \  
 --resource-group $CLUSTER_RESOURCE_GROUP \  
 --name VirtualMachineName \  
 --username demo \  
 --password Your-Password
      Important: Please replace Your-Password with a strong password.

    Having said that, users added manually on the AKS nodes will not be persisted if the node undergoes a node image upgrade (which can also be part of an update operation on the AKS cluster, like node pool Kubernetes version upgrade, agent pool reconciliations, service principal profile refresh, certificate rotation) or if the node is destroyed during a scale down operation.

    Hope this helps.

    Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

    2 people found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.