This article is more than 1 year old
Microsoft plugs Active Directory authentication into AKS on Azure Stack HCI
Begone foul stash for the secret hash
Rolled out in preview form last year, the arrival of the Azure Kubernetes Service (AKS) on Azure Stack HCI was aimed directly at customers leery of Microsoft's public cloud. The arrival of AKS-HCI meant that developers got, in theory, a consistent AKS experience over cloud and the resolutely on-premises world of Azure Stack HCI. Hybrid indeed.
However, although Microsoft cheerfully trumpeted the security strengths of AKS-HCI at the launch of the public preview, it admitted several were not quite ready for public consumption, "these and more will be released in the lead-up to general availability."
Enter the Active Directory (AD) integration, which has arrived in the February update. The addition to the public preview brings single sign on via AD authentication using kubectl rather than certificate-based client authentication.
"Think of AD kubeconfig as a type of kubeconfig," said Microsoft, referring to the configuration stored on the client to connect to the api-server. As a default, AKS-HCI uses certificate-based kubeconfig, containing the likes of private keys.
"If malware or attacker gets access to this configuration file," the company admitted, "they will be able to get access to the api-server and that would be like getting keys to the kingdom."
Azure Stack will need special sysadmins, says MicrosoftREAD MORE
Hence the advantages of AD kubeconfig. While the certificate-based approach is still available, "the AD kubeconfig can be freely distributed without any security concerns to a wider group of users."
The Windows server or container host don't even need to be domain-joined to use the functionality, as long as the domain server and container host are time synchronised.
Making use of the Kerberos protocol, it's a useful update if you've bought into the Microsoft way of doing things (and if you're using Azure Stack HCI, you probably have.)
The update also ditches the need for a DHCP server and supports completely static IP environments, and, for those keen to check out AKS-HCI but less keen on the spending cash on hardware just for a test drive, a guide on how to bring the system up on an Azure VM is also available. ®