Microsoft Posted April 13, 2023 Share Posted April 13, 2023 Kubernetes tasks & Service Connections Azure DevOps supports Kubernetes deployments with a number of included tasks: AzureFunctionOnKubernetes HelmDeploy Kubernetes KubernetesManifest These tasks can be configured to target a Kubernetes cluster in a number of ways, using the connectionType property: Connection Type Description Azure Resource Manager Let’s you select an AKS instance. Does not access Kubernetes cluster at Service Connection configuration time. Kubernetes Service Connection Allows you to provide a KubeConfig file, specify a Service Account, or import an AKS instance with the ‘Azure Subscription’ option. The latter requires Kubernetes cluster access at Service Connection configuration time. None Use a pre-created Kubernetes configuration stored locally. Kubernetes Service Connection limitations when accessing AKS You can create a Kubernetes Service Connection with any of the below options: When selecting the ‘Azure Subscription’ option, Kubernetes needs to be accessible to Azure DevOps at Service Connection configuration time. There may be various reasons Service Connection cannot be created, e.g. you created a private cluster or the cluster has local accounts disabled. In these cases, Azure DevOps is unable to connect to your cluster at Service Connection configuration time and you will observe the dialog to be stuck at ‘Loading namespaces’: Since Kubernetes 1.24, long-lived tokens are no longer created by default. Kubernetes recommends not to use long-lived tokens. As a result, tasks using a Kubernetes Service Connection created using the Azure Subscription option do not have access to the permanent token required to authenticate and can’t access your Kubernetes cluster. This also results in the ‘Loading namespaces’ dialog to hang. Use the Azure Resource Manager Service Connection to access AKS We have added support for the Azure Resource Manager Service Connection type to tasks that did not support it yet: AzureFunctionOnKubernetes@1 KubernetesManifest@1 With these updated tasks, all included Kubernetes tasks can use an Azure Resource Manager Service Connection. For AKS customers, the Azure Resource Manager Service Connection type provides the best method to connect to a private cluster, or a cluster that has local accounts disabled. This method is not dependent on cluster connectivity at the time you create a Service Connection. Access to AKS is deferred to pipeline runtime, which has the following advantages: Access to a (private) AKS cluster can be performed from a Self-hosted or Scale set agent with line of sight to the cluster. A token is created for every task that uses Azure Resource Manager Service Connection. This ensures you are connecting to Kubernetes with a short-lived token, which is the Kubernetes recommendation. AKS can be accessed even when local accounts are disabled. The following example demonstrates the use of the Azure Resource Manager Service Connection: - task: AzureFunctionOnKubernetes@1 displayName: 'Deploy an Azure Function on Kubernetes' inputs: connectionType: 'Azure Resource Manager' azureSubscriptionConnection: '$(subscriptionConnection)' azureResourceGroup: $(resourceGroupName) kubernetesCluster: $(aksName) ... Common questions & answers Q: I’m using AKS and don’t want to change anything, can I continue to use tasks with the Kubernetes Service Connection as before? A: We are updating this method to create long-lived tokens. This is expected to be available mid-May. However, please be aware that this approach is against Kubernetes guidance. Q: I’m using the Kubernetes tasks and Kubernetes Service Connection but not AKS. Should I be concerned? A: You tasks will continue to work as before. Q: Will the Kubernetes Service Connection type be removed? A: Our Kubernetes tasks work with any Kubernetes cluster, regardless where they are running. The Kubernetes Service Connection will continue to exist. Q: I’m an AKS customer and everything is running fine, should I act? A: There is no need to change anything. If you are using the Kubernetes Service Connection and selected Azure Subscription during creation, you should be aware of the Kubernetes guidance on using long-lived tokens Q: I’m creating a Kubernetes Environment, and have no option to use Service Connections A: In case you can’t access AKS during environment creation time, you can use an empty environment and set the connectionType property of the above mentioned tasks to an Azure Resource Manager Service Connection. Q: I have AKS configured with Azure Active Directory RBAC, and my pipeline doesn’t work. Will these updates resolve that? A: Accessing Kubernetes when AAD RBAC is enabled is unrelated to token creation. To prevent an interactive prompt, we will support kubelogin in a future update and blog post in June. The post Service Connection guidance for AKS customers using Kubernetes tasks appeared first on Azure DevOps Blog. View the full article Quote Link to comment Share on other sites More sharing options...
.png.6dd3056f38e93712a18d153891e8e0fc.png.1dbd1e5f05de09e66333e631e3342b83.png.933f4dc78ef5a5d2971934bd41ead8a1.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.