Skip to content

Commit 3d50175

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #234369 from CocoWang-wql/patch-33
Update managed-aad.md
2 parents f982caa + c5af703 commit 3d50175

File tree

1 file changed

+18
-1
lines changed

1 file changed

+18
-1
lines changed

articles/aks/managed-aad.md

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
title: Use Azure AD in Azure Kubernetes Service
33
description: Learn how to use Azure AD in Azure Kubernetes Service (AKS)
44
ms.topic: article
5-
ms.date: 03/02/2023
5+
ms.date: 04/17/2023
66
ms.custom: devx-track-azurecli
77
ms.author: miwithro
88
---
@@ -144,6 +144,23 @@ In order to access the cluster, follow the steps in [access an Azure AD enabled
144144

145145
There are some non-interactive scenarios, such as continuous integration pipelines, that aren't currently available with `kubectl`. You can use [`kubelogin`](https://github.com/Azure/kubelogin) to connect to the cluster with a non-interactive service principal credential.
146146

147+
Starting with Kubernetes version 1.24, the default format of the clusterUser credential for Azure AD clusters is `exec`, which requires [kubelogin](https://github.com/Azure/kubelogin) binary in the execution PATH. If you use the Azure CLI, it prompts you to download kubelogin. For non-Azure AD clusters, or Azure AD clusters where the version of Kubernetes is older than 1.24, there is no change in behavior. The version of kubeconfig installed continues to work.
148+
149+
An optional query parameter named `format` is available when retrieving the clusterUser credential to overwrite the default behavior change. You can set the value to `azure` to use the original kubeconfig format.
150+
151+
Example:
152+
153+
```azurecli-interactive
154+
az aks get-credentials --format azure
155+
```
156+
157+
For Azure AD integrated clusters using a version of Kubernetes newer than 1.24, it uses the kubelogin format automatically and no conversion is needed. For Azure AD integrated clusters running a version older than 1.24, you need to run the following commands to convert the kubeconfig format manually
158+
159+
```azurecli-interactive
160+
export KUBECONFIG=/path/to/kubeconfig
161+
kubelogin convert-kubeconfig
162+
```
163+
147164
## Disable local accounts
148165

149166
When you deploy an AKS cluster, local accounts are enabled by default. Even when enabling RBAC or Azure AD integration, `--admin` access still exists as a non-auditable backdoor option. You can disable local accounts using the parameter `disable-local-accounts`. The `properties.disableLocalAccounts` field has been added to the managed cluster API to indicate whether the feature is enabled or not on the cluster.

0 commit comments

Comments
 (0)