weinong
commented
1 year ago did you try to specify --token-cache-dir in convert-kubeconfig? i suppose you can create unique temp dir using mktemp to store the cached token
Open SebestyenBartha opened 1 year ago
weinong
commented
1 year ago did you try to specify --token-cache-dir in convert-kubeconfig? i suppose you can create unique temp dir using mktemp to store the cached token
SebestyenBartha
commented
1 year ago I'm sorry I don't understand how using a token cache dir would help me in this? From the documentation it is not clear to me. What I have problem with is the following:
az login --tenant A then, az login --tenant B,az account set --tenant Aaz aks get-credentials --name clusterA --resource-group rgAkubectl get pods -> I get the podsaz account set --tenant Baz aks get-credentials --name clusterB --resource-group rgBkubectl get pods -> I get the podskubectl config use-context clusterA, then get pods -> I get the podskubectl config use-context clusterB, then get pods -> I get the pods.Now, when I try to use kubelogin I have to do the following:
az account set --tenant Akubelogin convert-kubeconfig -l azureclikubectl get pods -> I get the podsaz account set --tenant Bkubectl config use-context clusterB, then get pods -> error: You must be logged in to the server (Unauthorized)kubelogin remove-tokenskubectl get pods -> I get the podsSo essentially instead of just switching seamlessly like in step 8 and 9, I have to call az account set and kubelogin remove-tokens every time I switch contexts, which is very annoying and also much slower than previously. I don't see how the token-cache-dir helps with this...
weinong
commented
1 year ago please look at this proposal, this would work, at least it works for me when i manually edited the kubeconfig
after this, you can change contexts without interfering each other.
you can confirm this proposal by editing the kubeconfig to add unique token-cache-dir, but you have to use devicecode login
ScottS-byte
commented
1 year ago I have to side with @SebestyenBartha on this - kubelogin is almost useless. I can connect fine to AKS clusters but not to our legacy k8s 1.17, 1.18 local clusters nor the legacy clusters on Azure. For the legacy clusters the process is kubectl use-context... or kubectx clustername and k9s. Once kubelogin is used as minimally directed nothing can connect to the legacy clusters at all, including kubectl cluster-info.
weinong
commented
1 year ago @ScottS-byte would you mind elaborating? does your legacy k8s use AAD or not? if you use kubelogin convert-kubeconfig --context ... --token-cache-dir $(mktemp -d), it will only change the config for selected context. the rest should remain the same, and you can switch by using kubectl config use-context XYZ
We have two different tenants in two different datacenters. I have two different users to go with that and I have to switch contexts all the time. When I switched from one datacenter to the other using kubectl the user experience with the azure auth plugin was that I need to log in once for both the first time I switch and then I can seamlessly switch between the two without re-authenticating every time, because the tokens were saved individually for both clusters, so kubectl always knew which token to use for which context. That is impossible to set up with kubelogin. When I convert the config, everything is converted but the two contexts will use the same token, and only the one I was using at the time of convert will work, the other context will provide an authorization error. Kubelogin is unable to figure out that I had multiple users for the different tenants. To fix it, I need to log out, remove the tokens from kubelogin, re-authenticate, convert the config again. And I have to do these steps every single time I switch contexts. It's awful. The azure auth plugin had sooo much better user experience... :( Can something be done about this?