K
Q

How do I configure kubernetes with oidc and azure apps to allow authentication only with a specified Security Group

9/24/2019

I'm trying to set up SSO between our (regular, not AKS) kubernetes clusters and Azure AD. Since I don't know how to forward the token to the kube-dashboard, I'm just currently trying with kubectl binary installed on my computer. It works when no groups are involved, but we want to filter by security group (accounts on AAD are synced from our onprem Active Directory), no kube RBAC involved.

Setup is inspired by https://medium.com/@olemarkus/using-azure-ad-to-authenticate-to-kubernetes-eb143d3cce10 and https://docs.microsoft.com/fr-fr/azure/aks/azure-ad-integration :

  • web app for kube api server configured to expose its API (add scope etc...) with app ID : abc123
  • native app for client kubectl configured with addition of api permission from the web app, with app ID : xyz456
  • kube api server yaml manifest , I add :

- --oidc-client-id=spn:abc123

- --oidc-issuer-url=https://sts.windows.net/OurAADTenantID

  • config kubectl binary :
kubectl config set-cluster test-legacy-2 --server=https://192.168.x.y:4443 --certificate-authority=/somelocation/ca.pem
kubectl config set-credentials USER@mydomain.com --auth-provider=azure --auth-provider-arg=environment=AzurePublicCloud --auth-provider-arg=client-id=xyz456 --auth-provider-arg=tenant-id=OurAADTenantID --auth-provider-arg=apiserver-id=abc123

Also in the Azure client app manifest, had to specify :

"allowPublicClient":true,

"oauth2AllowIdTokenImplicitFlow":true

Otherwise had error "Failed to acquire a token: acquiring a new fresh token: waiting for device code authentication to complete: autorest/adal/devicetoken: Error while retrieving OAuth token: Unknown Error". Found on https://github.com/MicrosoftDocs/azure-docs/issues/10326

Issues start when trying to filter on some security group that I find in the JWT as per https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

I am receiving a format error even though the JWT Azure sends me does contain the groups in the right format (json array of strings)

Config :

  • In azure web app manifest to have the groups in my JWT :

"groupMembershipClaims": "SecurityGroup",

  • kube api server yaml manifest :

- --oidc-groups-claim=groups

- --oidc-required-claim=groups=bbc2eedf-79cd-4505-9fb4-39856ed3790e

with the string here being the GUID of my target security group.

I am receiving error: You must be logged in to the server (Unauthorized) on output of kubectl and the kube api server logs provide me this authentication.go:62] Unable to authenticate the request due to an error: [invalid bearer token, [invalid bearer token, oidc: parse claim groups: json: cannot unmarshal array into Go value of type string]]

But I don't understand why it is not happy cause when I decode the JWT I do have

"groups": [
    "00530f35-0013-4237-8947-6e3f6a7895ca",
    "bbc2eedf-79cd-4505-9fb4-39856ed3790e",
    "17dff614-fd68-4a38-906c-69561daec8b7"
  ],

which to my knowledge is a well-formatted json array of strings...

Why does the api server complain about the JWT ?

-- GuiFP
azure
kubernetes
openid-connect

Similar Questions

Ability to run gcloud commands from a container in GKE or CloudRun
Make Helm overriding manually edited environment variables
How do I get/update a Kubernetes custom resource from a go program?
Is there a docker image for minikube

1 Answer

11/14/2019

Ok so, Required claims must be a string, not an array of strings

But I found a workaround.

  • Don't use oidc-groups-claim and oidc-required-claim
  • In Azure, go to the Properties of the API server App.
  • Select Yes in "User assignment required"
  • In "Users and groups" add the specific Security Group you want to filter on
  • To test : Remove yourself from the Security Group
  • Wait for the token to expire (in my case it was 1 hour)
  • You can't log in anymore
-- GuiFP
Source: StackOverflow