One of the new capabilities that Microsoft has introduced for Azure Arc is something called Cluster Connect for Kubernetes, which allows us to securely connect to any Kubernetes cluster that is linked to Azure Arc. However this requires that your Kubernetes Cluster is already linked up to Azure Arc, which you can read more about here –> Getting started with Azure Defender and Azure Monitor for Kubernetes using Azure Arc | Marius Sandbu (msandbu.org)
This is done through the cluster connect agent which is running within the Azure Arc namespace (So it is already present when you enable Azure Arc on Kubernetes Clusters). The service is communicating back to Azure using Service Bus which allows communication using a reverse communication flow.
This feature also allows us to protect the Kube-API behind Azure Active Directory as well but also supports Service Account token in addition but is simple to configure.
The process is that when you sign into Azure CLI first with your Azure AD credentials, which then uses Azure Resource Manager roles to determine if you should have access to the Kubernetes environment. So, it means that to run kubectl commands you first need to authenticate with Azure CLI.
Firstly, you need to install an extension to your Azure CLI environment
az extension add --name connectedk8s
Next you need to enable the proxy service for the Azure Arc enabled cluster.
az connectedk8s enable-features --features cluster-connect -n <clusterName> -g <resourceGroupName>
Then you need to add required users to the Kubernetes environment before you can enable remote access by adding a new admin-user-binding. If you want to add more users that should have access to the kubernetes cluster you would need to run this command for each user.
kubectl create clusterrolebinding admin-user-binding --clusterrole cluster-admin --user=<testuser>@<mytenant.onmicrosoft.com>
Once that is done you can then connect to the Kubernetes environment from any device using Azure CLI using this command
az connectedk8s proxy -n <cluster-name> -g <resource-group-name>
This will enable the proxy and create a new local kube.config file which points to the proxy connection
So, when opening a separate window, you run kubectl and interact with the cluster directly from Azure CLI.