How to make sure az kubectl credentials do not expire and kubectl can be run by scripts on production?
To control the Azure Kubernetes service, you need permission to perform the actions. So the core of safety is permission. You can use the service principal with the right permission you need without interaction. So the az login
could be changed into this:
az login --service-principal -u service_principal_app_id -p service_principal_secret
To get the credentials to access the cluster, there two permission:
Azure Kubernetes Service Cluster Admin Role or Azure Kubernetes Service Cluster User Role
You can get more details here and decide which to use. You can set the expiry date for the service principal, take a look at another issue.
find below recommendations
- It is perfectly fine to use those commands
- Instead of individual id, suggest you use service principal and secret to login to azure
az aks get-credentials
basically generates a kubernetes config file for you in ~/.kube/config
which includes cluster information and a client certificate to access the kubernetes api server. kubectl
uses this configuration file by default.
You can also use a different config file location. If your script has access to this config file, it should just work.