https://pulumi.com logo
Join Slack
Powered by
Is there a way to the aks cluster config within a ...
# azure
w
Is there a way to the aks cluster config within a pulumi program for the service principal in use? Or do I have to get the config using the cli with 
az aks get-credentials?
before running pulumi?
b
if you're using next gen you can use this snippet:
Copy code
import * as azure from "@pulumi/azure-nextgen"; 
    const clientConfig = azure.authorization.latest.getClientConfig();
    const currentPrincipal = clientConfig.then((x) => x.objectId);
(I think that's what you'll need)
That's what I've been doing to take my current user and add it to an admin group
w
Thanks, I’ll try that when I have time.
reading again, will this really get the cluster config for the kubernetes cluster? Isn’t this just getting the service principal info?
f
and then you can create a provider with it
let cluster = new k8s.Provider(name, { kubeconfig: aks.kubeAdminConfigRaw, }, { parent: this, });
which you can use to provision resources insisde aks
new k8s.core.v1.Namespace(namespace, { metadata: { name: namespace } }, { provider: cluster, parent: this, })
w
@fresh-pilot-59899 yes, I know about that one. But I would like to know how to get the credentials for a service provider if I don't have access to the raw admin config. I would like to use a service provider that only has access for the namespace it should manage and nothing more.
b
Could you create a role and role binding for the group you want to give access to, then give that role access to the namespace? Take a look at these docs: https://www.pulumi.com/docs/guides/crosswalk/kubernetes/configure-access-control/#configure-rbac-authorization
w
@brave-planet-10645, that is what I'm doing, but how do I get hold of the credentials for the service principal in a pulumi context? The service principal has been created in another stack (call it A), what I would like to do is from stack B get the service principal client id and client secret created in A using a stack reference, and then get hold of the kube config for that service principal. I know I can probably show this through command line, but ideally I would like to do it within the pulumi context.
@tall-librarian-49374 do you know if there is a way to do get the k8s cluster config from within pulumi? Or do I have to do it beforehand?
t
Is the cluster created from Pulumi? What exactly is “cluster config”? Is it in https://www.pulumi.com/docs/reference/pkg/azure-nextgen/containerservice/getmanagedcluster/ ?
w
the cluster config is what you get when you do 
az aks get-credentials
, I think that is the kubeconfig raw you get when you create a cluster through pulumi. However, I want to use a config for a user that only have limited access to the cluster.
basically this https://www.pulumi.com/docs/reference/pkg/azure/containerservice/kubernetescluster/#kubeconfigraw_nodejs, but I want to have it for another service principal then the one that was used to create the cluster.
b
I think what you want is to follow the instructions here to create the groups for admins and devs and then the instructions here to control what those groups have access to. Then use the non-admin kubectl to deploy
t
There are several List* functions in here that return kubeconfig variants: https://www.pulumi.com/docs/reference/pkg/azure-nextgen/containerservice/
w
thanks, I'll look into those!
@tall-librarian-49374, so let me check so I understand https://www.pulumi.com/docs/reference/pkg/azure-nextgen/containerservice/listmanagedclusteraccessprofile/. If I use a azure nextgen provider with the SP I want the credentials for I should just be able to call that method there to get the credentials, correct? If so, awesome 🙂
t
I have no experience with this function but you should be able to call it
👍 1
3 Views
Open in Slack
PreviousNext
Powered by