Skip to content

Commit 1e932bd

Browse files
CocoWang-wqlCocoWang-wql
authored
Update managed-aad.md
1 parent bf3aa1c commit 1e932bd

File tree

1 file changed

+10
-0
lines changed

1 file changed

+10
-0
lines changed

articles/aks/managed-aad.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,15 @@ In order to access the cluster, follow the steps in [access an Azure AD enabled
144144

145145
There are some non-interactive scenarios, such as continuous integration pipelines, that aren't currently available with `kubectl`. You can use [`kubelogin`](https://github.com/Azure/kubelogin) to connect to the cluster with a non-interactive service principal credential.
146146

147+
Starting with Kubernetes 1.24, the default format of clusterUser credential for AAD enabled clusters will be ‘exec’, which requires [kubelogin](https://github.com/Azure/kubelogin) binary in the execution PATH. If you are using Azure CLI, it will prompt users to download kubelogin. There will be no behavior change for non-AAD clusters, or AAD clusters whose version is older than 1.24. Existing downloaded kubeconfig will still work. We provide an optional query parameter ‘format’ when getting clusterUser credential to overwrite the default behavior change, you can explicitly specify format to ‘azure’ to get old format kubeconfig.
148+
149+
For AAD clusters whose version is newer than 1.24, it will return to kubelogin format automatically and no convert needed. For AAD clusters whose version is plder than 1.24, you need to run the below commands to convert kubelogin format manually.
150+
151+
```azurecli-interactive
152+
export KUBECONFIG=/path/to/kubeconfig
153+
kubelogin convert-kubeconfig
154+
```
155+
147156
## Disable local accounts
148157

149158
When you deploy an AKS cluster, local accounts are enabled by default. Even when enabling RBAC or Azure AD integration, `--admin` access still exists as a non-auditable backdoor option. You can disable local accounts using the parameter `disable-local-accounts`. The `properties.disableLocalAccounts` field has been added to the managed cluster API to indicate whether the feature is enabled or not on the cluster.
@@ -355,6 +364,7 @@ Error from server (Forbidden): nodes is forbidden: User "aaaa11111-11aa-aa11-a1a
355364

356365
Make sure the admin of the security group has given your account an *Active* assignment.
357366

367+
358368
## Next steps
359369

360370
* Learn about [Azure RBAC integration for Kubernetes Authorization][azure-rbac-integration].

0 commit comments

Comments
 (0)