Comments (10)
Thanks for the help, I'll close this now.
from kubelogin.
Hi @markszabo , I'd not recommend using those pair of AAD app for non-AKS clusters as your scenario may be impacted if there is any change to these AAD app configuration (e.g. token format). It's harder to comment on whether there is any security concern as the verification of the token is your server's responsibility.
from kubelogin.
Thanks @weinong ! Does this mean that kubelogin only supports AKS clusters?
Btw I'm using an EKS cluster configured to use AAD as an OIDC IDP which is similar to configuring a self-managed k8s cluster with the --oidc-issuer-url
and --oidc-client-id
flags for the API server.
from kubelogin.
you can still use kubelogin for any k8s with AAD. Just need to use your own AAD applications. It'd be appreciated if you can help update the doc here once you sort out the configuration!
from kubelogin.
I'm sorry, I believe I wasn't clear about which AAD applications I meant. So this is my current setup:
- Create a new Azure AD Enterprise Application and corresponding App Registration. Configure it to have the
Allow public client flows
checked. Take a note of the directory (tenant) ID as$AAD_TENANT_ID
and the application (client) ID as$AAD_CLIENT_ID
- Configure the kubernetes API server to use AAD as an OIDC provider:
- Issuer URL:
--oidc-issuer-url=https://sts.windows.net/$AAD_TENANT_ID
- Client ID:
--oidc-client-id=$AAD_CLIENT_ID
- Username claim:
--oidc-username-claim=upn
- Issuer URL:
- Configure
kubelogin
to use the application from the first step:
kubectl config set-credentials "azure-user" \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubelogin \
--exec-arg=get-token \
--exec-arg=--environment \
--exec-arg=AzurePublicCloud \
--exec-arg=--server-id \
--exec-arg=$AAD_CLIENT_ID \
--exec-arg=--client-id \
--exec-arg=$AAD_CLIENT_ID \
--exec-arg=--tenant-id \
--exec-arg=$AAD_TENANT_ID
Then use it to connect to a cluster:
kubectl config set-context "$CLUSTER_NAME" --cluster="$CLUSTER_NAME" --user=azure-user
kubectl config use-context "$CLUSTER_NAME"
So I don't mean to use the 6dae42f8-4368-4678-94ff-3960e28e3630
application for anything. What I was wondering is whether it is okay to use the AAD application (created by me) for both --server-id
and --client-id
. Functionally it works (I can authenticate to the cluser and groups are also passed), but I don't really understand the reason for having two applications in the first place, and I wanted to make sure it is really okay to use it like this.
I'm really happy to help document this once we figure it out.
from kubelogin.
Oh, I see. Sorry that I misunderstood it. What you describe is just fine in the oidc world. What's configured in AKS is webhook authentication which is more like OAuth Authorization flow such that Server app has its credential to make Graph api query to find out your AAD groups. So if it's uncommon to have more than 200 groups in your organization, the generic oidc provider from k8s would work.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
from kubelogin.
Awesome, thank you very much! Considering that there was an other issue about limited non-AKS documentation (#51), I think documenting this information would be useful. If you agree, I'm happy to summarize this and send a PR. Do you have any preference on where this info should go? I'm thinking about a new section to the readme, titled something like Non-AKS cluster setup
, maybe right before the last Contributing
section?
from kubelogin.
SGTM. Thanks for the contribution!
from kubelogin.
@weinong Sorry for stepping into this closed issue, but is there any way to configure non-AKS clusters (ie. self-hosted ones) to also use webhook authentication instead of pure OIDC so that we can get around the 200 groups limit in the ID token?
The normal OIDC implementation in Kubernetes does not seem to support the distributed groups claim to look up a user's groups when they are member of more than 200 groups.
from kubelogin.
@marratj I'd recommend using https://github.com/kubeguard/guard as the authentication webhook server. In fact, it's used by AKS as well. Let me know if you have issue configuring it.
from kubelogin.
Related Issues (20)
- Get JWT token from AzureAD v2.0 endpoint HOT 7
- Why kubectl in conjunction with kubelogin sends complete string instead of only user (upn) HOT 4
- Variable overrides parameter value inside kubeconfig HOT 1
- legacy flag does not work from version v0.0.30 when the login method is spn HOT 7
- Add linux-arm build
- Subject Name Issuer based Auth for SPN Login Mode for Kubelogin HOT 2
- Support OIDC request url & token HOT 2
- `get-token --login azurecli` should be fast when a local token exists HOT 2
- kubelogin is vulnerable to CVE-2023-39323 HOT 2
- Proposal: kubelogin library usage HOT 3
- No possibility to use Service Principal when Workload Identity is enabled in the Pod HOT 7
- Rename `master` to `main` branch for this repo.
- Expose kubelogin cli flags in library mode HOT 1
- Query Regarding Autorest Library Usage HOT 2
- weird authorization error when authenticating via service principal HOT 6
- Azure AD v2 endpoints doesn't work HOT 2
- Issues when using Azure DevOps federated identity token HOT 4
- Kubectl is returning 'Unable to connect to the server' and 'couldn't get current server API group list' all of a sudden HOT 1
- Token expires immediately HOT 1
- kubelogin enabled cluster device login takes CLIENT ID from ENV variable HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubelogin.