kubelogin not found error while client reading kubeconfig file

[ravihooda155]

On using python client in azure function to do custom operation on k8s object in azure cluster and
Azure cluster config is configured to use kubelogin for auth via service principal.

"kubelogin" not found error thrown post using standard python client for doing custom operation.

Is there any fix for using python client using kubeconfig having kubelogin as auth mechanism via service principal ?
or there are separate apis for that ?

Kubernetes version (kubectl version): 1.26
OS (e.g., MacOS 10.13.6): linux
Python version (python --version): 3.10

[roycaihw]

/kind feature

Currently Azure kubelogin is not supported.

/help

[k8s-ci-robot]

@roycaihw:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/kind feature

Currently Azure kubelogin is not supported.

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[SimardeepSingh-zsh]

The error you're encountering, "kubelogin not found," suggests that your Azure Function environment doesn't have the necessary tools or configurations to perform authentication via kubeconfig with kubelogin as the authentication mechanism.

Kubelogin is typically a command-line tool used to interact with Kubernetes clusters that are configured for token-based authentication, which is often used with Azure Kubernetes Service (AKS). To resolve this issue and use Python to interact with a Kubernetes cluster via kubeconfig and kubelogin, you can follow these steps:

Check Dependencies: Ensure that the Azure Function environment has the necessary dependencies installed, including the kubectl and kubelogin command-line tools. These tools are required for authentication and interaction with the Kubernetes cluster.

Use Azure Managed Identity: Azure Functions can take advantage of managed identities. You can associate your Azure Function with a managed identity and grant that identity the necessary permissions to access your AKS cluster. This eliminates the need for manual authentication via kubeconfig and kubelogin.

Authenticate with Azure AD: If your AKS cluster is configured to use Azure AD integration, you can authenticate to the cluster using Azure AD credentials. You would need to use the Azure Identity SDK for Python to obtain tokens for authentication. The tokens can then be used in your Python code to interact with the AKS cluster.

Here's a high-level overview of how you can use managed identities or Azure AD authentication in an Azure Function to interact with a Kubernetes cluster:

Managed Identity Approach:

Assign a managed identity to your Azure Function.
Grant the managed identity appropriate RBAC (Role-Based Access Control) permissions on your AKS cluster.
In your Azure Function code, use the managed identity to authenticate to the AKS cluster.
Azure AD Authentication Approach:

Configure Azure AD integration for your AKS cluster.
Use the Azure Identity SDK for Python to obtain an access token for Azure AD authentication.
Use the obtained access token in your Python code to authenticate and interact with the AKS cluster.
The specific implementation details will depend on your Azure Function and AKS configuration, so you may need to refer to the Azure documentation and the Azure SDK for Python (azure-identity package) for more information and code examples.

By following these approaches, you can securely authenticate and interact with your AKS cluster from your Azure Function without the need for kubelogin in your Python code.

[brendandburns]

Just to add some clarity. kubelogin is an exec auth provider, which as far as I know is supported by Python. The trouble is that the kubelogin binary is not present in the Azure functions environment (which is to be expected for a function as a service environment). Using managed identity (as suggested above) is the right solution for Azure functions, but kubelogin should work in an environment (e.g, container or desktop) where the kubelogin binary is installed.