question

MikePfaffenberger-4099 avatar image
0 Votes"
MikePfaffenberger-4099 asked srbose-msft commented

AKS and Python kubernetes_asyncio

Hi all,

I am trying to use the library dask-kubernetes to orchestrate running a Dask cluster on AKS. Under the hood, dask-kubernetes uses the Python library kubernetes_asyncio, which is simply just an async version of the Python kubernetes library.

Unfortunately, the kubernetes_asyncio library does not support Azure Token based authentication for authenticating with k8s, while the non-async version of the library does -- but dask-kubernetes is heavily tied to the asyncio version.

Is there any way to authenticate with an AKS cluster using one of the following authentication protocols?

  • user-token

  • oidc-token

  • user-password

Thank you in advance!

azure-kubernetes-service
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MikePfaffenberger-4099 , Thank you for your question.

Just to be sure, you want to authenticate "to" an AKS cluster from the kubernetes_asyncio based client right?

Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the Open ID connect documentation. From inside of the Kubernetes cluster, Webhook Token Authentication is used to verify authentication tokens. Webhook token authentication is configured and managed as part of the AKS cluster. For more information please check out this article.




0 Votes 0 ·

Yes! I want to authenticate "to" the AKS cluster from the asyncio client (running externally).

I'm not concerned with authenticating to the cluster while running something inside the cluster. That's working fine.

Appreciate the links, I will try to understand this a little more. So if I'm following you correctly, it seems like the Azure token based authentication is actually just OIDC with a bow tied on it... maybe I can trick kubernetes_asyncio into viewing it as an OIDC token?

0 Votes 0 ·

Wait, sorry... that article didn't contain the information I'm looking for.

To be perfectly clear -- kubernetes_asyncio does not support Azure AD tokens. While it will work with kubectl, it won't work with kubernetes_asyncio. I need to authenticate to the AKS cluster using an alternative means. Can you tell me if there's a way to do that?

Thank you.

0 Votes 0 ·
srbose-msft avatar image srbose-msft MikePfaffenberger-4099 ·

@MikePfaffenberger-4099 , Thank you for your response.

Based on the conversation here, it seems like Microsoft Authentication Library for Python (MSAL) can be a possible option, given that MSAL supports customized http client. This feature is still NOT directly about asynchronous in itself. But, it may theoretically make it possible to plug in an async http client.


0 Votes 0 ·

0 Answers