Login Modes

Most of the interaction with kubelogin is around convert-kubeconfig subcommand which uses the input kubeconfig specified in --kubeconfig or KUBECONFIG environment variable to convert to the final kubeconfig in exec format based on specified login mode.

In this section, the login modes will be explained in details.

The login modes that kubelogin implements are AAD OAuth 2.0 token grant flows. Throughout kubelogin subcommands, you will see below common flags. In general, these flags are already setup when you get the kubeconfig from AKS.

--tenant-id: Azure AD tenant ID
--client-id: the application ID of the public client application. This client app is only used in device code, web browser interactive, and ropc login modes.
--server-id: the application ID of the web app, or resource server. The token should be issued to this resource.

References

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-oauth2
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc

Azure Kubelogin

How Login Works

References