kubelogin can be used to authenticate with Azure Arc-enabled clusters by requesting a proof-of-possession (PoP) token. This can be done by providing both of the following flags together:
--pop-enabled: indicates that
kubeloginshould request a PoP token instead of a regular bearer token
--pop-claims: is a comma-separated list of
key=valueclaims to include in the PoP token. At minimum, this must include the u-claim as
u=ARM_ID_OF_CLUSTER, which specifies the host that the requested token should allow access on.
These flags can be provided to either
kubelogin get-token directly to get a PoP token, or to
kubelogin convert-kubeconfig for
kubectl to request the token internally.
PoP token requests only work with
spn login modes; these flags will be ignored if provided for other login modes.
This is the application used by the server side. The access token needs to be issued for this app to access a 1P Arc-enabled cluster.
This server app ID is a required parameter for
web browser interactive login mode supporting PoP token authentication.
This is a 1P client application used by
kubelogin to perform login on behalf of the user. It should be used for
web browser interactive login mode when using PoP token authentication.