github/client-go
1
0
Fork 0
mirror of https://github.com/kubernetes/client-go.git synced 2025-06-27 15:39:39 +00:00
Code Issues Projects Releases Wiki Activity

Updated Readme for Azure (OIDC) auth provider

Browse Source 
Includes:
* Added details and clarifications based on my experience
* Some minor copy editing

added note about resulting username

fixing last list item

clarficiation of resulting username

mainly just refering to OIDC docs

fixed comment about callback URL

Kubernetes-commit: 2709a7ee0d7d25463c9da00890a7b7db3e4419d1
This commit is contained in:
Puja 2018-01-24 15:34:03 +01:00 committed by Kubernetes Publisher
parent 94b05e5087
commit dcdb23334e
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
plugin/pkg/client/auth/azure/README.md
View File

@ -1,15 +1,14 @@
# Azure Active Directory plugin for client authentication # Azure Active Directory plugin for client authentication
This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and stored them in the kubectl configuration. In addition it will refresh and update the tokens in configuration when expired. This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and store them in the kubectl configuration. In addition it will refresh and update the tokens in the configuration when expired.
## Usage ## Usage
1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration) 1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration). The callback URL does not matter (just cannot be empty).
2. Create a second Azure Active Directory native application for `kubectl` 2. Create a second Azure Active Directory native application for `kubectl`. The callback URL does not matter (just cannot be empty).
3. On `kubectl` application's configuration page in Azure portal grant permissions to `apiserver` application by clicking on *Required Permissions*, click the *Add* button and search for the apiserver application created in step 1. Select "Access apiserver" under the *DELEGATED PERMISSIONS*. Once added click the *Grant Permissions* button to apply the changes 3. On `kubectl` application's configuration page in Azure portal grant permissions to `apiserver` application by clicking on *Required Permissions*, click the *Add* button and search for the apiserver application created in step 1. Select "Access apiserver" under the *DELEGATED PERMISSIONS*. Once added click the *Grant Permissions* button to apply the changes.
4. Configure the `apiserver` to use the Azure Active Directory as an OIDC provider with following options 4. Configure the `apiserver` to use the Azure Active Directory as an OIDC provider with following options
@ -21,8 +20,9 @@ This plugin provides an integration with Azure Active Directory device flow. If
* Replace the `APISERVER_APPLICATION_ID` with the application ID of `apiserver` application * Replace the `APISERVER_APPLICATION_ID` with the application ID of `apiserver` application
* Replace `TENANT_ID` with your tenant ID. * Replace `TENANT_ID` with your tenant ID.
  * For a list of alternative username claims that are supported by the OIDC issuer check the JSON response at `https://sts.windows.net/TENANT_ID/.well-known/openid-configuration`.
5. Configure the `kubectl` to use the `azure` authentication provider 5. Configure `kubectl` to use the `azure` authentication provider
``` ```
kubectl config set-credentials "USER_NAME" --auth-provider=azure \ kubectl config set-credentials "USER_NAME" --auth-provider=azure \
@ -36,6 +36,7 @@ This plugin provides an integration with Azure Active Directory device flow. If
* Replace `USER_NAME` and `TENANT_ID` with your user name and tenant ID * Replace `USER_NAME` and `TENANT_ID` with your user name and tenant ID
* Replace `APPLICATION_ID` with the application ID of your`kubectl` application ID * Replace `APPLICATION_ID` with the application ID of your`kubectl` application ID
* Replace `APISERVER_APPLICATION_ID` with the application ID of your `apiserver` application ID * Replace `APISERVER_APPLICATION_ID` with the application ID of your `apiserver` application ID
* Be sure to also (create and) select a context that uses above user
6. The access token is acquired when first `kubectl` command is executed 6. The access token is acquired when first `kubectl` command is executed
@ -45,4 +46,5 @@ This plugin provides an integration with Azure Active Directory device flow. If
To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code DEC7D48GA to authenticate. To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code DEC7D48GA to authenticate.
``` ```
* After signing in a web browser, the token is stored in the configuration, and it will be reused when executing next commands. * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing further commands.
* The resulting username in Kubernetes depends on your [configuration of the `--oidc-username-claim` and `--oidc-username-prefix` flags on the API server](https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server). If you are using any authorization method you need to give permissions to that user, e.g. by binding the user to a role in the case of RBAC.