5

I created my AKS cluster in the Azure portal using the 'Create Kubernetes cluster' functionality and allowed it to create a new Service Principal.
I started to wonder about expiry of the credentials this principal uses. Hoping to avoid an issue with K8s talking to Azure on credential expiry, I started looking at the account which had been created.

What I'm seeing if I run:

az ad app show --id <app Id>

... is the account manifest apart from the password expiry. I don't need to see the password itself, just when it expires.

passwordCredentials, however, is an empty array.

What I was expecting to find was startDate and endDate properties like I do for accounts I create myself.

The PasswordCredential class described here:

https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.management.graph.rbac.fluent.models.passwordcredential?view=azure-dotnet

Is the AKS Cluster creation process doing something different when it creates its service principal credentials which means they don't expire? Am I just not allowed to see the detail? Is there something fundamental that I've misunderstood?

VengerGB
  • 63
  • 1
  • 4
  • i think you can create application password that doesnt expire, so its not doing something unique – 4c74356b41 Dec 12 '18 at 18:02
  • Possible duplicate of [Azure AKS Client Secret expired - How to change?](https://stackoverflow.com/questions/53748832/azure-aks-client-secret-expired-how-to-change) – 4c74356b41 Dec 13 '18 at 07:51
  • Thanks for taking a look at my question. With respect - the question isn't about changing the password for my cluster, merely understanding if and when the AKS created service principal's credentials expire. If AKS creates principals without credential expiry, that's worth knowing - and might not be desirable from a security standpoint. Admittedly - given the current support for changing the password in the cluster, this might be moot. At least I would know when to spin up a new cluster in order to avoid a lapse in service. – VengerGB Dec 13 '18 at 09:24
  • Any more question? Or if the answer is helpful you can accept it. – Charles Xu Dec 21 '18 at 08:02

2 Answers2

3

Bumped into the same Service principle expiry issue for the AKS.

As a quick workaround created new Key using Azure Portal and updated all the AKS nodes manually(/etc/kubernetes/azure.json) with new client secret and restarted one by one, moreover master node was not updated with new client_secret(obviously). Hence newly scaled up nodes were coming up with the expired client secret!!(Issue)

30.01.2019 Got response from Azure Support that they are adding new option in azure cli to update the service principal.

31.01.2019 Just upgraded my Azure CLI to check for the new feature, luckily it's there and updated my Test cluster and its works!

az aks update-credentials --reset-service-principal --service-principal <client-id> --client-secret <secret>

Note: the client-id and client-secret should be created by you

It basically update /etc/kubernetes/azure.json file on all the nodes and then reboot it one by one!

Tried with scale up as well and it works!

Cizer Pereira
  • 99
  • 1
  • 4
  • [Link to the docs](https://learn.microsoft.com/en-us/azure/aks/update-credentials#reset-the-existing-service-principal-credentials). Mind that it takes looong time to run, as it duplicates nodes, pulls pods to new nodes from old ones, resolve pods with new credentials on old nodes and kills the temporary nodes. – Alex Klaus Aug 08 '23 at 03:58
2

First of all, I need to make an explanation about the passwordCredentials that you reference. It a property about the App Registration key. When you create the AKS cluster there no key created, so the passwordCredentials shows empty. If you create a key in App Registration, it will show like this:

enter image description here enter image description here

In addition, when you deploy an AKS cluster the password will be never expired. But don't worry, you can create the key for App Registration in the setting and give an expiry time to it. Also can reset the time and the key password.

enter image description here

But you should take care when you reset the password using the CLI command az ad sp credential reset. This command will overwrite all the keys, not the just reset the expiry time and password. It means that create a new key for you and delete all the keys created before, or just create a new key with the parameter --append.

You can take a look at the document Azure Kubernetes Service (AKS) with Azure AD. Hope this will help you.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39