Skip to main content
Version: 3.0

Configure Kubelogin

Applicable to Classic mode only

note

Azure AD kubelogin is supported in Classic mode only and has not been validated for Federated mode. In Federated mode, Portworx Backup uses Azure Workload Identity (WLI) for authentication.

Portworx Backup now supports Azure kubelogin, enabling secure, token-based authentication with Azure Kubernetes Service (AKS) clusters. By leveraging Azure Active Directory (Azure AD) integration, kubelogin eliminates the need for static credentials or Azure AD service accounts, enhancing security and compliance with modern identity management practices.

Kubelogin is specifically designed for AKS clusters integrated with Azure AD. Portworx Backup dynamically uses kubelogin to fetch tokens during authentication. For long-running operations, manual re-authentication may be required if tokens expire.

Before you begin

Before using kubelogin with Portworx Backup:

  • Install Portworx Backup version 2.8.1 or later

  • Ensure your AKS cluster is configured with Azure AD integration for RBAC.

  • Ensure the Azure AD user or service principal has access to the AKS cluster.

Add kubelogin AKS cluster

  1. See generate kubeconfig with service principal and generate a kubeconfig file.

  2. After generating the kubeconfig file, see Add AKS cluster to add the Azure cluster with Azure AD enabled.

note

Portworx Backup currently supports Service Principal and Managed Service Identity login modes for kubelogin.

Troubleshooting

IssueCauseResolution
Portworx Backup cannot authenticateService principal might be misconfigured.Before adding the cluster, run kubectl get nodes and ensure it is configured correctly.
Token expiration errorsTokens expire after 90 days.Re-authenticate or ensure Portworx Backup refreshes the token after 90 days.
Invalid Azure AD credentialsIncorrect tenant or secret ID.Verify that the secret and server IDs are correct in the kubeconfig file.
Portworx Backup cannot access AKS resourcesInsufficient permissions in Azure AD.Ensure the user or service principal has sufficient Azure AD and AKS access.
Last updated on