diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index fe6afcf1..1c04196d 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -360,215 +360,215 @@ }, { "ImportPath": "k8s.io/apimachinery/pkg/api/equality", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/api/errors", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/api/meta", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/api/resource", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/api/testing", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/api/testing/fuzzer", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/api/testing/roundtrip", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/apimachinery", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/apimachinery/announced", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/apimachinery/registered", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/apis/meta/fuzzer", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/apis/meta/internalversion", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1beta1", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/conversion", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/conversion/queryparams", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/fields", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/labels", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/runtime", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/runtime/schema", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/json", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/protobuf", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/recognizer", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/streaming", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/versioning", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/selection", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/types", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/cache", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/clock", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/diff", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/errors", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/framer", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/httpstream", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/httpstream/spdy", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/intstr", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/json", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/mergepatch", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/net", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/remotecommand", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/runtime", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/sets", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/strategicpatch", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/validation", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/validation/field", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/wait", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/util/yaml", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/version", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/pkg/watch", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/third_party/forked/golang/json", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/third_party/forked/golang/netutil", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/apimachinery/third_party/forked/golang/reflect", - "Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e" + "Rev": "895b82eadff27f5a6b19d80628a04645823c1e46" }, { "ImportPath": "k8s.io/kube-openapi/pkg/util/proto", diff --git a/plugin/pkg/client/auth/azure/README.md b/plugin/pkg/client/auth/azure/README.md index 0b5e62bd..e4ba791e 100644 --- a/plugin/pkg/client/auth/azure/README.md +++ b/plugin/pkg/client/auth/azure/README.md @@ -1,15 +1,14 @@ # Azure Active Directory plugin for client authentication -This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and stored them in the kubectl configuration. In addition it will refresh and update the tokens in configuration when expired. - +This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and store them in the kubectl configuration. In addition it will refresh and update the tokens in the configuration when expired. ## Usage -1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration) +1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration). The callback URL does not matter (just cannot be empty). -2. Create a second Azure Active Directory native application for `kubectl` +2. Create a second Azure Active Directory native application for `kubectl`. The callback URL does not matter (just cannot be empty). -3. On `kubectl` application's configuration page in Azure portal grant permissions to `apiserver` application by clicking on *Required Permissions*, click the *Add* button and search for the apiserver application created in step 1. Select "Access apiserver" under the *DELEGATED PERMISSIONS*. Once added click the *Grant Permissions* button to apply the changes +3. On `kubectl` application's configuration page in Azure portal grant permissions to `apiserver` application by clicking on *Required Permissions*, click the *Add* button and search for the apiserver application created in step 1. Select "Access apiserver" under the *DELEGATED PERMISSIONS*. Once added click the *Grant Permissions* button to apply the changes. 4. Configure the `apiserver` to use the Azure Active Directory as an OIDC provider with following options @@ -21,8 +20,9 @@ This plugin provides an integration with Azure Active Directory device flow. If * Replace the `APISERVER_APPLICATION_ID` with the application ID of `apiserver` application * Replace `TENANT_ID` with your tenant ID. +   * For a list of alternative username claims that are supported by the OIDC issuer check the JSON response at `https://sts.windows.net/TENANT_ID/.well-known/openid-configuration`. -5. Configure the `kubectl` to use the `azure` authentication provider +5. Configure `kubectl` to use the `azure` authentication provider ``` kubectl config set-credentials "USER_NAME" --auth-provider=azure \ @@ -35,7 +35,8 @@ This plugin provides an integration with Azure Active Directory device flow. If * Supported environments: `AzurePublicCloud`, `AzureUSGovernmentCloud`, `AzureChinaCloud`, `AzureGermanCloud` * Replace `USER_NAME` and `TENANT_ID` with your user name and tenant ID * Replace `APPLICATION_ID` with the application ID of your`kubectl` application ID - * Replace `APISERVER_APPLICATION_ID` with the application ID of your `apiserver` application ID + * Replace `APISERVER_APPLICATION_ID` with the application ID of your `apiserver` application ID + * Be sure to also (create and) select a context that uses above user 6. The access token is acquired when first `kubectl` command is executed @@ -45,4 +46,5 @@ This plugin provides an integration with Azure Active Directory device flow. If To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code DEC7D48GA to authenticate. ``` - * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing next commands. + * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing further commands. + * The resulting username in Kubernetes depends on your [configuration of the `--oidc-username-claim` and `--oidc-username-prefix` flags on the API server](https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server). If you are using any authorization method you need to give permissions to that user, e.g. by binding the user to a role in the case of RBAC.