I'm trying to set up SSO between our (regular, not AKS) kubernetes clusters and Azure AD. Since I don't know how to forward the token to the kube-dashboard, I'm just currently trying with kubectl binary installed on my computer. It works when no groups are involved, but we want to filter by security group (accounts on AAD are synced from our onprem Active Directory), no kube RBAC involved.
Setup is inspired by https://medium.com/@olemarkus/using-azure-ad-to-authenticate-to-kubernetes-eb143d3cce10 and https://docs.microsoft.com/fr-fr/azure/aks/azure-ad-integration :
- --oidc-client-id=spn:abc123
- --oidc-issuer-url=https://sts.windows.net/OurAADTenantID
kubectl config set-cluster test-legacy-2 --server=https://192.168.x.y:4443 --certificate-authority=/somelocation/ca.pem
kubectl config set-credentials USER@mydomain.com --auth-provider=azure --auth-provider-arg=environment=AzurePublicCloud --auth-provider-arg=client-id=xyz456 --auth-provider-arg=tenant-id=OurAADTenantID --auth-provider-arg=apiserver-id=abc123
Also in the Azure client app manifest, had to specify :
"allowPublicClient":true,
"oauth2AllowIdTokenImplicitFlow":true
Otherwise had error "Failed to acquire a token: acquiring a new fresh token: waiting for device code authentication to complete: autorest/adal/devicetoken: Error while retrieving OAuth token: Unknown Error". Found on https://github.com/MicrosoftDocs/azure-docs/issues/10326
Issues start when trying to filter on some security group that I find in the JWT as per https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
I am receiving a format error even though the JWT Azure sends me does contain the groups in the right format (json array of strings)
Config :
"groupMembershipClaims": "SecurityGroup",
- --oidc-groups-claim=groups
- --oidc-required-claim=groups=bbc2eedf-79cd-4505-9fb4-39856ed3790e
with the string here being the GUID of my target security group.
I am receiving error: You must be logged in to the server (Unauthorized)
on output of kubectl and the kube api server logs provide me this authentication.go:62] Unable to authenticate the request due to an error: [invalid bearer token, [invalid bearer token, oidc: parse claim groups: json: cannot unmarshal array into Go value of type string]]
But I don't understand why it is not happy cause when I decode the JWT I do have
"groups": [
"00530f35-0013-4237-8947-6e3f6a7895ca",
"bbc2eedf-79cd-4505-9fb4-39856ed3790e",
"17dff614-fd68-4a38-906c-69561daec8b7"
],
which to my knowledge is a well-formatted json array of strings...
Why does the api server complain about the JWT ?
Ok so, Required claims must be a string, not an array of strings
But I found a workaround.