Configure Kubelogin
Portworx Backup (PXB) now supports Azure kubelogin, enabling secure and token-based authentication with Azure Kubernetes Service (AKS) clusters. By leveraging Azure Active Directory (Azure AD) integration, kubelogin eliminates the need for static credentials or Azure AD service accounts, enhancing security and compliance with modern identity management practices.
Kubelogin is specifically designed for AKS clusters integrated with Azure AD. Portworx Backup dynamically uses kubelogin to fetch tokens during authentication. For long-running operations, manual re-authentication may be required if tokens expire.
Before you begin
Before using kubelogin with PXB:
-
Install Portworx Backup version 2.8.1 or later
-
Ensure your AKS cluster is configured with Azure AD integration for RBAC.
-
Ensure the Azure AD user or service principal has access to the AKS cluster.
Add kubelogin AKS cluster
-
Refer to generate kubeconfig with service principal and generate a kubeconfig file.
-
After generating the kubeconfig file, refer to Add AKS cluster to add the Azure cluster with Azure AD enabled.
Portworx Backup currently supports Service Principal and Managed Service Identity login modes for kubelogin.
Troubleshooting
| Issue | Cause | Resolution |
|---|---|---|
| Portworx Backup cannot authenticate | Service principal could be misconfigured. | Before adding cluster, ensure that you execute kubectl get nodes command. Ensure that it is configured correctly. |
| Token expiration errors | Tokens expire after 90 days. | Re-authenticate or ensure Portworx Backup refreshes token after 90 days. |
| Invalid Azure AD credentials | Incorrect tenant or secret ID | Verify that the secret and server IDs are correct in the kubeconfig file. |
| Portworx Backup cannot access AKS resources | Insufficient permissions in Azure AD | Ensure the user or service principal has sufficient Azure AD and AKS access. |