This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 1%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
When following the steps in the Azure Kubernetes Service documentation to update/rotate the Service Principal, one of the steps carried out by the CLI utility involves restarting each Node in the cluster in a rolling fashion, I think twice per node. This caught me out by surprise the first time I rotated the keys on a cluster.
We use AKS to run a platform which relies on persistent TCP connections being formed from customer sites to AKS. If the node running that particular pod reboots (or indeed that pod restarts), the customer sites would automatically (re) connect to another node, but with the side effect of closing all sessions that customer might have open.
Completely appreciate this may not be possible but I'm wondering if there is a method to rotate the Service Principal in AKS without rebooting? Cheers!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 98%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hello @Jamie W ,
Thanks for reaching out to Microsoft Q&A Platform. As of today every service principal update will require a reboot of each worker nodes. When we update the AKS cluster with the new SP credentials at first it will update the Master Node with new client_secret. Then it will go to each node and will update the config /etc/kubernetes/azure.json with the new secret. You can also manually login to each node and update those attributes but not a best practice because the Master Node will still use the old password which might lead to other consequences like any scale up will come up old SP credentials.
azure.json config file looks like below
Considering your customer scenario , probably you can renew the service principal for the extended period of time (for example 10 years ) and do the update only once.
az ad sp credential reset --name $SPID --years 10
Kindly let us know if you have additional questions.
Regards,
Shiva.