Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC via Azure EntraID #1145

Open
Schluggi opened this issue Sep 23, 2024 · 0 comments
Open

OIDC via Azure EntraID #1145

Schluggi opened this issue Sep 23, 2024 · 0 comments
Labels
question Further information is requested

Comments

@Schluggi
Copy link

I try to connect my k8s cluster against Azure EntraID as an OIDC provider.

I followed this guide. Created an Azure App and configured the kube-apiserver as shown here:

$ cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep oidc
    - --oidc-client-id=<client-id>
    - --oidc-groups-claim=roles
    - '--oidc-groups-prefix=oidc:'
    - --oidc-issuer-url=https://login.microsoftonline.com/<tenant-id>/v2.0
    - --oidc-signing-algs=RS256
    - --oidc-username-claim=upn
    - --oidc-username-prefix=-

I want to use roles instead of groups so I added --oidc-groups-claim=roles.

On client side I was able to run this command:

kubectl-oidc_login get-token --oidc-issuer-url=https://login.microsoftonline.com/<tenant-id>/v2.0 --oidc-client-id=<client-id> --oidc-client-secret=<client-secret>

The id-token I got has no groups key, but a roles key (as expected).


{
  [...],
  "roles": [
    "K8S_Dev_Admin"
  ],
  [...]
}

Now the issue I have:
I modified my local kube-config as well to connect to the cluster:

[...]
- name: dev-k8s
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://login.microsoftonline.com/<tenant-id>/v2.0
      - --oidc-client-id=<client-id>
      - --oidc-client-secret=<client-secret>
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false

But now I get this message when I try to auth (via kubectl get nodes for example):

E0923 13:55:35.945610  249237 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0923 13:55:36.363502  249237 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0923 13:55:36.591913  249237 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0923 13:55:36.826208  249237 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0923 13:55:37.051483  249237 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
error: You must be logged in to the server (the server has asked for the client to provide credentials)

I mean the error message is right, there is no group list inside the token, but it shouldn't be needed/expected in the first place. Any idea how to fix it?

Your environment

  • Client-OS: WSL2 / Ubuntu 22.04
  • kubelogin version: v1.28.1
  • kubectl version: v1.29.7
  • OpenID Connect provider: Microsoft Azure
@Schluggi Schluggi added the question Further information is requested label Sep 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Schluggi