Updated Readme for Azure (OIDC) auth provider #58752
Conversation
k8s-ci-robot
added
release-note-none
|
Hi @puja108. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
| @@ -45,4 +46,4 @@ This plugin provides an integration with Azure Active Directory device flow. If | |||
| To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code DEC7D48GA to authenticate. | |||
There was a problem hiding this comment.
Actually, this step in the setup in my case could only be done on Windows. However, that was because of some iOS specific settings in the ADFS (with which the AAD was connected) that were somehow also breaking Mac browsers. I'm not sure if I should mention that here, as it might just be a very specific edge case.
| @@ -21,8 +20,9 @@ This plugin provides an integration with Azure Active Directory device flow. If | |||
|
|
|||
| * Replace the `APISERVER_APPLICATION_ID` with the application ID of `apiserver` application | |||
| * Replace `TENANT_ID` with your tenant ID. | |||
| * For a list of alternative username claims that are supported by the OIDC issuer check the JSON response at `https://sts.windows.net/TENANT_ID/.well-known/openid-configuration`. | |||
There was a problem hiding this comment.
sub is a very cryptic ID, which is not nice to map in a binding.
|
/assign @liggitt |
| @@ -45,4 +46,6 @@ This plugin provides an integration with Azure Active Directory device flow. If | |||
| To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code DEC7D48GA to authenticate. | |||
| ``` | |||
|
|
|||
| * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing next commands. | |||
| * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing further commands. | |||
| * The user name in Kubernetes will look like the following: `https://sts.windows.net/TENANT_ID/#username_claim`. If you are using any authorization method you need to give permissions to that user, e.g. by binding the user to a role in the case of RBAC. | |||
There was a problem hiding this comment.
Tried to keep this independent from specific authz method
feiskyer
removed
the
needs-ok-to-test
|
anything I can do here to push this forward? |
|
ping @liggitt @brendandburns |
| @@ -45,4 +46,6 @@ This plugin provides an integration with Azure Active Directory device flow. If | |||
| To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code DEC7D48GA to authenticate. | |||
| ``` | |||
|
|
|||
| * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing next commands. | |||
| * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing further commands. | |||
| * The user name in Kubernetes will look like the following: `https://sts.windows.net/TENANT_ID/#username_claim`. If you are using any authorization method you need to give permissions to that user, e.g. by binding the user to a role in the case of RBAC. | |||
There was a problem hiding this comment.
The issuer prefix is actually optional now and can be omitted via the apiserver oidc username claim prefix flag
There was a problem hiding this comment.
I see. I had not seen issuer prefixing in testing OIDC before, so I thought it was AAD that was including the prefix. Most probably cause I was always using the email claim. Just saw that this is documented at https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server
I'll change this to make it more clear and link out to the source
|
|
||
| ## Usage | ||
|
|
||
| 1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration) | ||
| 1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration). The callback URL of your App needs to be set to the external URL of your Kubernetes API Server. |
There was a problem hiding this comment.
This surprises me… we don’t actually support redirecting to the apiserver for anything, right? @colemickens, was this how you configured stuff when you were adding this?
There was a problem hiding this comment.
I think @stuartleeks told me that it's needed. Might be to identify the caller not for actually calling back?
There was a problem hiding this comment.
@puja108 - apologies for any confusion. I don't believe that the callback URL is used in the auth flow that is used for RBAC, but Azure AD requires that something is specified in the field when you create the app so using the api server seems like a reasonable value as a way to mentally create a connection :-)
There was a problem hiding this comment.
Getting back to this, as this seem to be the last open comment. I tested this and it does not matter, just is nice to have a connection. However, in our case for example they want to use the same apps for a bunch of clusters, so I'll just change this so it says that the Callback URL does not matter, and you can put whatever you want that helps you make a connection.
|
Anything else I should do @liggitt? |
|
LGTM, needs squash |
Includes: * Added details and clarifications based on my experience * Some minor copy editing added note about resulting username fixing last list item clarficiation of resulting username mainly just refering to OIDC docs fixed comment about callback URL
|
squashed |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, puja108 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
When trying this documentation in the field, I ran into some issues based on details missing here. I got it working in the end with some help from @stuartleeks from Microsoft, this PR is to help others trying to set this up not have the same question marks I had.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):None AFAIK
Special notes for your reviewer:
Includes:
Not sure if this requires release notes, I consider it a very small change.
Release note: