Setup k8s OIDC Provider using Azure AD
kubelogin can be used to authenticate to general kubernetes clusters using AAD as an OIDC provider.
-
Create an AAD Enterprise Application and the corresponding App Registration. Check the
Allow public client flowscheckbox. Configure groups to be included in the response. Take a note of the directory (tenant) ID as$AAD_TENANT_IDand the application (client) ID as$AAD_CLIENT_ID -
Configure the API server with the following flags:
- Issuer URL:
--oidc-issuer-url=https://sts.windows.net/$AAD_TENANT_ID/ - Client ID:
--oidc-client-id=$AAD_CLIENT_ID - Username claim:
--oidc-username-claim=upn
See the kubernetes docs for optional flags. For EKS clusters configure this on the Management Console or via terraform.
- Issuer URL:
-
Configure the Exec plugin with
kubeloginto use the application from the first step:kubectl config set-credentials "azure-user" \ --exec-api-version=client.authentication.k8s.io/v1beta1 \ --exec-command=kubelogin \ --exec-arg=get-token \ --exec-arg=--environment \ --exec-arg=AzurePublicCloud \ --exec-arg=--server-id \ --exec-arg=$AAD_CLIENT_ID \ --exec-arg=--client-id \ --exec-arg=$AAD_CLIENT_ID \ --exec-arg=--tenant-id \ --exec-arg=$AAD_TENANT_ID -
Use this credential to connect to the cluster:
kubectl config set-context "$CLUSTER_NAME" --cluster="$CLUSTER_NAME" --user=azure-user kubectl config use-context "$CLUSTER_NAME"