Using the same AAD app for server and client about kubelogin HOT 10 CLOSED

Thanks for the help, I'll close this now.

from kubelogin.

Hi @markszabo , I'd not recommend using those pair of AAD app for non-AKS clusters as your scenario may be impacted if there is any change to these AAD app configuration (e.g. token format). It's harder to comment on whether there is any security concern as the verification of the token is your server's responsibility.

from kubelogin.

Thanks @weinong ! Does this mean that kubelogin only supports AKS clusters?

Btw I'm using an EKS cluster configured to use AAD as an OIDC IDP which is similar to configuring a self-managed k8s cluster with the --oidc-issuer-url and --oidc-client-id flags for the API server.

from kubelogin.

you can still use kubelogin for any k8s with AAD. Just need to use your own AAD applications. It'd be appreciated if you can help update the doc here once you sort out the configuration!

from kubelogin.

I'm sorry, I believe I wasn't clear about which AAD applications I meant. So this is my current setup:

1. Create a new Azure AD Enterprise Application and corresponding App Registration. Configure it to have the Allow public client flows checked. Take a note of the directory (tenant) ID as $AAD_TENANT_ID and the application (client) ID as $AAD_CLIENT_ID
2. Configure the kubernetes API server to use AAD as an OIDC provider:
   • Issuer URL: --oidc-issuer-url=https://sts.windows.net/$AAD_TENANT_ID
   • Client ID: --oidc-client-id=$AAD_CLIENT_ID
   • Username claim: --oidc-username-claim=upn
3. Configure kubelogin to use the application from the first step:

kubectl config set-credentials "azure-user" \
  --exec-api-version=client.authentication.k8s.io/v1beta1 \
  --exec-command=kubelogin \
  --exec-arg=get-token \
  --exec-arg=--environment \
  --exec-arg=AzurePublicCloud \
  --exec-arg=--server-id \
  --exec-arg=$AAD_CLIENT_ID \
  --exec-arg=--client-id \
  --exec-arg=$AAD_CLIENT_ID \
  --exec-arg=--tenant-id \
  --exec-arg=$AAD_TENANT_ID

Then use it to connect to a cluster:

kubectl config set-context "$CLUSTER_NAME" --cluster="$CLUSTER_NAME" --user=azure-user
kubectl config use-context "$CLUSTER_NAME"

So I don't mean to use the 6dae42f8-4368-4678-94ff-3960e28e3630 application for anything. What I was wondering is whether it is okay to use the AAD application (created by me) for both --server-id and --client-id. Functionally it works (I can authenticate to the cluser and groups are also passed), but I don't really understand the reason for having two applications in the first place, and I wanted to make sure it is really okay to use it like this.

I'm really happy to help document this once we figure it out.

from kubelogin.

Oh, I see. Sorry that I misunderstood it. What you describe is just fine in the oidc world. What's configured in AKS is webhook authentication which is more like OAuth Authorization flow such that Server app has its credential to make Graph api query to find out your AAD groups. So if it's uncommon to have more than 200 groups in your organization, the generic oidc provider from k8s would work.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims

from kubelogin.

Awesome, thank you very much! Considering that there was an other issue about limited non-AKS documentation (#51), I think documenting this information would be useful. If you agree, I'm happy to summarize this and send a PR. Do you have any preference on where this info should go? I'm thinking about a new section to the readme, titled something like Non-AKS cluster setup, maybe right before the last Contributing section?

from kubelogin.

SGTM. Thanks for the contribution!

from kubelogin.

@weinong Sorry for stepping into this closed issue, but is there any way to configure non-AKS clusters (ie. self-hosted ones) to also use webhook authentication instead of pure OIDC so that we can get around the 200 groups limit in the ID token?

The normal OIDC implementation in Kubernetes does not seem to support the distributed groups claim to look up a user's groups when they are member of more than 200 groups.

from kubelogin.

@marratj I'd recommend using https://github.com/kubeguard/guard as the authentication webhook server. In fact, it's used by AKS as well. Let me know if you have issue configuring it.

from kubelogin.