question

VigneshMurugan-8783 avatar image
0 Votes"
VigneshMurugan-8783 asked srbose-msft commented

Can we add new user in aks nodes(in existing cluster) and set password?

Hi all,

We are trying to create an user(non-root) in AKS nodes and trying to set password. But we are getting permission denied error while set the password. Could you please assist us on this.



131789-image.png


azure-kubernetes-service
image.png (11.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@VigneshMurugan-8783 , can you please check if the answer shared has addressed your question? Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

0 Votes 0 ·

1 Answer

srbose-msft avatar image
1 Vote"
srbose-msft answered srbose-msft edited

@VigneshMurugan-8783 , Thank you for sharing your concern. While we are investigating the possibility of using passwd on AKS nodes, here are two workarounds as of now:

  1. You can add the sha512 encrypted password manually to the /etc/shadow file.
    i. You can get the sha512 encrypted password using openssl passwd -6 -stdin ,then type/paste your password, then ENTER, then Ctrl+D ("end of file"). No password will be seen in process list and no password will be saved into shell history.
    ii. You can now copy the encrypted text.

    • Edit the /etc/shadow file as following:

    • Go to the line that says something like demo:!:xxxxxx:x:xx:xx:xx::

    • Replace only the ! symbol with the copied encrypted text.

  2. If the AKS node pool is of type VirtualMachineScaleSets then:

        CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group <Resource-Group-Name> --name <Cluster-Name> --query nodeResourceGroup -o tsv)
          SCALE_SET_NAME=$(az vmss list --resource-group $CLUSTER_RESOURCE_GROUP --query '[0].name' -o tsv)
          az vmss extension set  \
          --resource-group $CLUSTER_RESOURCE_GROUP \
          --vmss-name $SCALE_SET_NAME \
          --name VMAccessForLinux \
          --publisher Microsoft.OSTCExtensions \
          --version 1.4 \
          --protected-settings "{\"username\":\"demo\", \"password\":\"Your-Password\"}"
         az vmss update-instances --instance-ids '*' \
         --resource-group $CLUSTER_RESOURCE_GROUP \
         --name $SCALE_SET_NAME
    

    Note: This will update the user credentials on all the nodes. If you want to update only one node, please replace the * in az vmss update-instances --instance-ids '*' with the Virtual Machine Scale Set instance number (instance numbers range between 0 and N-1 where N is the total number of scale set instances)

    Else, if the AKS node pool is of type AvailabilitySet then:

       CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group <Resource-Group-Name> --name <Cluster-Name> --query nodeResourceGroup -o tsv)
          az vm user update  \
          --resource-group $CLUSTER_RESOURCE_GROUP \
          --name VirtualMachineName \
          --username demo \
          --password Your-Password
    

    Important: Please replace Your-Password with a strong password.

Having said that, users added manually on the AKS nodes will not be persisted if the node undergoes a node image upgrade (which can also be part of an update operation on the AKS cluster, like node pool Kubernetes version upgrade, agent pool reconciliations, service principal profile refresh, certificate rotation) or if the node is destroyed during a scale down operation.


Hope this helps.

Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.