Share via

How to integrate RBAC enabled AKS with any CI/CD environment?

Tanul 1,291 Reputation points
2023-05-17T16:21:02.86+00:00

Hello,

After enabling RBAC, AKS expect kubelogin to connect with anything and it doesn't allow creation of service connections as well.

How to create a create service connection with any CI/CD tool. For example, this is the output with Azure devops while selecting Azure subscription as authentication method.

User's image

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,456 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Konstantinos Passadis 19,591 Reputation points MVP
    2023-05-17T17:09:04.3633333+00:00

    Hello @Tanul !

    To further assist in the links provided by @Cristian Gatjens

    Suggestion 1.

    If any of the above solutions didn't worked, try this. Go to Projects >> Project settings >> Service connections >> New service connection >> Kubernetes >> select the authentication method as KubeConfig and for the KubeConfig file, Open AKS in azure portal

    *Open cloud shell or the Azure CLI*

*Run the following commands “az account set --subscription {subscription ID}” “az aks get-credentials --resource-group {resource group name} --name {AKS-name} --admin” you will get a path to the kubeconfig file cat /home/********/.kube/config copy everything and paste in azure devops kubernetes service connection. Click on Accept untrusted certificates and Grant access permission to all pipelines. Give a service connection name and click verify.*

    Could you try ?

    ALSO , Suggestion 2.

    A Solution that seems to work for some is the following

    For others that are still having the issue I am re-iterating here the process:

    YAML

    # for aks version greater than 1.23 we have to handle the pipeline service manually

    # https://developercommunity.visualstudio.com/t/New-Kubernetes-service-connection-causes/10138123

    #

    # 1. Run this yaml file using the kubectl apply -f pipeline-account.yml

    # 2. Get the secret by running the following command.

    # kubectl get secret sa-secret -n default -o json

    # 3. Get kubernetes server URL

    # kubectl config view --minify -o jsonpath={.clusters[0].cluster.server}

    # 4. Create the Kubernetes service connection using the Service account method.

    # Enter the correct values and the Secret json output from above step (step2) - > Save.

    ---

    apiVersion: v1

    kind: ServiceAccount

    metadata:

    name: pipeline-serviceaccount

    namespace: default

    ---

    apiVersion: rbac.authorization.k8s.io/v1

    kind: ClusterRole

    metadata:

    name: role-for-pipeline-serviceaccount

    # namespace: default

    rules:

    - apiGroups: ["","apps","extensions"]*

    resources: [""]*

    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

    ---

    apiVersion: rbac.authorization.k8s.io/v1

    kind: ClusterRoleBinding

    metadata:

    name: rolebinding-for-pipeline-serviceaccount

    # namespace: default

    subjects:

    - kind: ServiceAccount

    name: pipeline-serviceaccount

    namespace: default # this is the namespace your service account is in

    roleRef:

    kind: ClusterRole

    name: role-for-pipeline-serviceaccount

    apiGroup: rbac.authorization.k8s.io

    ---

    apiVersion: v1

    kind: Secret

    type: kubernetes.io/service-account-token

    metadata:

    name: sa-secret

    annotations:

      *kubernetes.io/service-account.name: "pipeline-serviceaccount"*

    ---

    The yaml above will provide cluster wide access. If you only need access to specific namespace change the ClusterRole and ClusterRoleBinding objects to Role and RoleBinding and uncomment the namespace lines which will give access only to the default namespace.

    You can change the namespace in the code above as needed if you need access to another namespace than default. Let's hope that Microsoft will provide changes to the Azure Pipeline services UI that will help in making this process easier again.

    All info is from the very same thread : https://learn.microsoft.com/en-us/answers/questions/1051970/aks-with-kubernetes-service-connection-returns-cou

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Cristian Gatjens 716 Reputation points Microsoft Employee
    2023-05-17T16:38:00.1766667+00:00

    Hello Tanul,

    Thanks for reaching out and I hope you are doing well.

    I understand that you are seeing this error message "Could not find any secrets associated with the Service Account" using Azure DevOps. This error is expected if you are using AKS version 1.24x or higher, a more detailed discussion and workarounds can be found in the following posts:

    https://learn.microsoft.com/en-us/answers/questions/1051970/aks-with-kubernetes-service-connection-returns-cou

    https://learn.microsoft.com/en-us/answers/questions/1163969/deploy-to-azure-kubernetes-service-with-azure-pipe

    https://learn.microsoft.com/en-us/answers/questions/1221211/how-to-retrieve-required-values-from-a-kubeconfig

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well. Feel free to reply with any other questions or concerns.

    Hope this helps!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.