-
Notifications
You must be signed in to change notification settings - Fork 91
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
24 changed files
with
1,430 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
name: Build on Push | ||
on: [push] | ||
jobs: | ||
build: | ||
name: Build | ||
runs-on: ubuntu-latest | ||
env: | ||
GO111MODULE: on | ||
steps: | ||
- name: Set up Go 1.13 | ||
uses: actions/setup-go@v1 | ||
with: | ||
go-version: 1.13 | ||
id: go | ||
|
||
- name: Check out code into the Go module directory | ||
uses: actions/checkout@v2 | ||
|
||
- name: Build | ||
run: make |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
name: Release | ||
on: | ||
# push | ||
release: | ||
types: [created] | ||
|
||
jobs: | ||
build: | ||
name: Build | ||
runs-on: ubuntu-latest | ||
env: | ||
GO111MODULE: on | ||
steps: | ||
- name: Set up Go 1.13 | ||
uses: actions/setup-go@v1 | ||
with: | ||
go-version: 1.13 | ||
id: go | ||
|
||
- name: Check out code into the Go module directory | ||
uses: actions/checkout@v2 | ||
|
||
- name: Build (linux) | ||
env: | ||
GOOS: linux | ||
GOARCH: amd64 | ||
run: make | ||
|
||
- name: Build (darwin) | ||
env: | ||
GOOS: darwin | ||
GOARCH: amd64 | ||
run: make | ||
|
||
- name: Build (windows) | ||
env: | ||
GOOS: windows | ||
GOARCH: amd64 | ||
run: make | ||
|
||
- name: Zip | ||
uses: montudor/[email protected] | ||
with: | ||
args: zip -qq -r kubelogin.zip bin | ||
|
||
- name: Publish | ||
uses: skx/github-action-publish-binaries@master | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
with: | ||
args: kubelogin.zip |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
TARGET := kubelogin | ||
OS := $(if $(GOOS),$(GOOS),$(shell go env GOOS)) | ||
ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH)) | ||
BIN = bin/$(OS)_$(ARCH)/$(TARGET) | ||
ifeq ($(OS),windows) | ||
BIN = bin/$(OS)_$(ARCH)/$(TARGET).exe | ||
endif | ||
|
||
GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD) | ||
GIT_HASH := $(shell git rev-parse --verify HEAD) | ||
GIT_TAG := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "") | ||
BUILD_TIME ?= $(shell date -u +"%Y-%m-%dT%H:%M:%SZ") | ||
|
||
ifdef GIT_TAG | ||
VERSION := $(GIT_TAG)/$(GIT_HASH) | ||
else | ||
VERSION := $(GIT_BRANCH)/$(GIT_HASH) | ||
endif | ||
|
||
LDFLAGS := -X main.version=$(VERSION) \ | ||
-X main.goVersion=$(shell go version | cut -d " " -f 3) \ | ||
-X main.buildTime=$(BUILD_TIME) | ||
|
||
all: $(TARGET) | ||
|
||
version: | ||
@echo VERSION: $(VERSION) | ||
|
||
$(TARGET): clean | ||
go build -o $(BIN) -ldflags "$(LDFLAGS)" | ||
|
||
clean: | ||
-rm -f $(BIN) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,77 @@ | ||
# kubelogin | ||
|
||
# Contributing | ||
This is a [client-go credential (exec) plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) implementing azure authentication. This plugin provides features that are not available in kubectl. | ||
|
||
## Features | ||
|
||
* convert command to convert kubeconfig with existing azure auth provider to exec credential plugin | ||
* device code login | ||
* non-interactive service principal login | ||
* non-interactive user principal login using [Resource owner login flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) | ||
* AAD token will be cached locally for renewal. By default, it is saved in `~/.kube/cache/kubelogin/azure.json` | ||
* addresses https://github.com/kubernetes/kubernetes/issues/86410 to remove `spn:` prefix in `audience` claim, if necessary. (based on kubeconfig or commandline argument `--legacy`) | ||
|
||
## Getting Started | ||
|
||
### Setup | ||
|
||
Copy the latest [Releases](https://github.com/Azure/kubelogin/releases) to shell's search path. | ||
|
||
### Run | ||
|
||
#### Device code flow (interactive) | ||
|
||
```sh | ||
export KUBECONFIG=/path/to/kubeconfig | ||
|
||
kubelogin convert-kubeconfig | ||
|
||
kubectl get no | ||
``` | ||
|
||
If you are using kubeconfig from AKS AADv1 clusters, `convert-kubeconfig` command will automatically add `--legacy` flag so that `audience` claim will have `spn:` prefix. | ||
|
||
#### Service principal login flow (non interactive) | ||
|
||
> On AKS, it will only work with AADv2 | ||
```sh | ||
export KUBECONFIG=/path/to/kubeconfig | ||
|
||
kubelogin convert-kubeconfig -l spn | ||
|
||
export AAD_SERVICE_PRINCIPAL_CLIENT_ID=<spn client id> | ||
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<spn secret> | ||
|
||
kubectl get no | ||
``` | ||
|
||
#### User Principal login flow (non interactive) | ||
|
||
> Note: ROPC is not supported in hybrid identity federation scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity providers, Azure AD is not able to test the username and password against that identity provider. Pass-through authentication is supported with ROPC, however. | ||
> It also does not work when MFA policy is enabled | ||
> Personal accounts that are invited to an Azure AD tenant can't use ROPC | ||
```sh | ||
export KUBECONFIG=/path/to/kubeconfig | ||
|
||
kubelogin convert-kubeconfig -l ropc | ||
|
||
export [email protected] | ||
export AAD_USER_PRINCIPAL_PASSWORD=<password> | ||
|
||
kubectl get no | ||
``` | ||
|
||
### Clean up | ||
|
||
Whenever you want to remove the cached token, to change login method, or to change tenant, you should remove the cached token | ||
|
||
```sh | ||
kubelogin remove-token | ||
``` | ||
|
||
## Contributing | ||
|
||
This project welcomes contributions and suggestions. Most contributions require you to agree to a | ||
Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
module github.com/Azure/kubelogin | ||
|
||
go 1.13 | ||
|
||
require ( | ||
github.com/Azure/go-autorest/autorest v0.9.0 | ||
github.com/Azure/go-autorest/autorest/adal v0.5.0 | ||
github.com/spf13/cobra v0.0.6 | ||
github.com/spf13/pflag v1.0.5 | ||
k8s.io/apimachinery v0.17.4 | ||
k8s.io/cli-runtime v0.17.4 | ||
k8s.io/client-go v0.17.4 | ||
k8s.io/klog v1.0.0 | ||
) |
Oops, something went wrong.