https://pulumi.com logo
Title
w

wet-noon-14291

02/21/2021, 8:40 AM
Is there a way to the aks cluster config within a pulumi program for the service principal in use? Or do I have to get the config using the cli with
az aks get-credentials?
before running pulumi?
b

brave-planet-10645

02/21/2021, 9:11 AM
if you're using next gen you can use this snippet:
import * as azure from "@pulumi/azure-nextgen"; 
    const clientConfig = azure.authorization.latest.getClientConfig();
    const currentPrincipal = clientConfig.then((x) => x.objectId);
(I think that's what you'll need)
That's what I've been doing to take my current user and add it to an admin group
w

wet-noon-14291

02/21/2021, 10:25 AM
Thanks, I’ll try that when I have time.
reading again, will this really get the cluster config for the kubernetes cluster? Isn’t this just getting the service principal info?
f

fresh-pilot-59899

02/21/2021, 7:30 PM
and then you can create a provider with it
let cluster = new k8s.Provider(name, { kubeconfig: aks.kubeAdminConfigRaw, }, { parent: this, });
which you can use to provision resources insisde aks
new k8s.core.v1.Namespace(namespace, { metadata: { name: namespace } }, { provider: cluster, parent: this, })
w

wet-noon-14291

02/21/2021, 9:30 PM
@fresh-pilot-59899 yes, I know about that one. But I would like to know how to get the credentials for a service provider if I don't have access to the raw admin config. I would like to use a service provider that only has access for the namespace it should manage and nothing more.
b

brave-planet-10645

02/22/2021, 10:11 AM
Could you create a role and role binding for the group you want to give access to, then give that role access to the namespace? Take a look at these docs: https://www.pulumi.com/docs/guides/crosswalk/kubernetes/configure-access-control/#configure-rbac-authorization
w

wet-noon-14291

02/23/2021, 10:55 PM
@brave-planet-10645, that is what I'm doing, but how do I get hold of the credentials for the service principal in a pulumi context? The service principal has been created in another stack (call it A), what I would like to do is from stack B get the service principal client id and client secret created in A using a stack reference, and then get hold of the kube config for that service principal. I know I can probably show this through command line, but ideally I would like to do it within the pulumi context.
@tall-librarian-49374 do you know if there is a way to do get the k8s cluster config from within pulumi? Or do I have to do it beforehand?
t

tall-librarian-49374

02/24/2021, 6:49 AM
Is the cluster created from Pulumi? What exactly is “cluster config”? Is it in https://www.pulumi.com/docs/reference/pkg/azure-nextgen/containerservice/getmanagedcluster/ ?
w

wet-noon-14291

02/24/2021, 10:10 AM
the cluster config is what you get when you do
az aks get-credentials
, I think that is the kubeconfig raw you get when you create a cluster through pulumi. However, I want to use a config for a user that only have limited access to the cluster.
basically this https://www.pulumi.com/docs/reference/pkg/azure/containerservice/kubernetescluster/#kubeconfigraw_nodejs, but I want to have it for another service principal then the one that was used to create the cluster.
b

brave-planet-10645

02/24/2021, 10:19 AM
I think what you want is to follow the instructions here to create the groups for admins and devs and then the instructions here to control what those groups have access to. Then use the non-admin kubectl to deploy
t

tall-librarian-49374

02/24/2021, 10:34 AM
There are several List* functions in here that return kubeconfig variants: https://www.pulumi.com/docs/reference/pkg/azure-nextgen/containerservice/
w

wet-noon-14291

02/24/2021, 11:01 AM
thanks, I'll look into those!
@tall-librarian-49374, so let me check so I understand https://www.pulumi.com/docs/reference/pkg/azure-nextgen/containerservice/listmanagedclusteraccessprofile/. If I use a azure nextgen provider with the SP I want the credentials for I should just be able to call that method there to get the credentials, correct? If so, awesome 🙂
t

tall-librarian-49374

02/24/2021, 11:10 AM
I have no experience with this function but you should be able to call it
👍 1