From dcdb23334e7d834d51cf430b7011ec738315ea6b Mon Sep 17 00:00:00 2001 From: Puja Date: Wed, 24 Jan 2018 15:34:03 +0100 Subject: [PATCH] Updated Readme for Azure (OIDC) auth provider Includes: * Added details and clarifications based on my experience * Some minor copy editing added note about resulting username fixing last list item clarficiation of resulting username mainly just refering to OIDC docs fixed comment about callback URL Kubernetes-commit: 2709a7ee0d7d25463c9da00890a7b7db3e4419d1 --- plugin/pkg/client/auth/azure/README.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/plugin/pkg/client/auth/azure/README.md b/plugin/pkg/client/auth/azure/README.md index 0b5e62bd..e4ba791e 100644 --- a/plugin/pkg/client/auth/azure/README.md +++ b/plugin/pkg/client/auth/azure/README.md @@ -1,15 +1,14 @@ # Azure Active Directory plugin for client authentication -This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and stored them in the kubectl configuration. In addition it will refresh and update the tokens in configuration when expired. - +This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and store them in the kubectl configuration. In addition it will refresh and update the tokens in the configuration when expired. ## Usage -1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration) +1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration). The callback URL does not matter (just cannot be empty). -2. Create a second Azure Active Directory native application for `kubectl` +2. Create a second Azure Active Directory native application for `kubectl`. The callback URL does not matter (just cannot be empty). -3. On `kubectl` application's configuration page in Azure portal grant permissions to `apiserver` application by clicking on *Required Permissions*, click the *Add* button and search for the apiserver application created in step 1. Select "Access apiserver" under the *DELEGATED PERMISSIONS*. Once added click the *Grant Permissions* button to apply the changes +3. On `kubectl` application's configuration page in Azure portal grant permissions to `apiserver` application by clicking on *Required Permissions*, click the *Add* button and search for the apiserver application created in step 1. Select "Access apiserver" under the *DELEGATED PERMISSIONS*. Once added click the *Grant Permissions* button to apply the changes. 4. Configure the `apiserver` to use the Azure Active Directory as an OIDC provider with following options @@ -21,8 +20,9 @@ This plugin provides an integration with Azure Active Directory device flow. If * Replace the `APISERVER_APPLICATION_ID` with the application ID of `apiserver` application * Replace `TENANT_ID` with your tenant ID. +   * For a list of alternative username claims that are supported by the OIDC issuer check the JSON response at `https://sts.windows.net/TENANT_ID/.well-known/openid-configuration`. -5. Configure the `kubectl` to use the `azure` authentication provider +5. Configure `kubectl` to use the `azure` authentication provider ``` kubectl config set-credentials "USER_NAME" --auth-provider=azure \ @@ -35,7 +35,8 @@ This plugin provides an integration with Azure Active Directory device flow. If * Supported environments: `AzurePublicCloud`, `AzureUSGovernmentCloud`, `AzureChinaCloud`, `AzureGermanCloud` * Replace `USER_NAME` and `TENANT_ID` with your user name and tenant ID * Replace `APPLICATION_ID` with the application ID of your`kubectl` application ID - * Replace `APISERVER_APPLICATION_ID` with the application ID of your `apiserver` application ID + * Replace `APISERVER_APPLICATION_ID` with the application ID of your `apiserver` application ID + * Be sure to also (create and) select a context that uses above user 6. The access token is acquired when first `kubectl` command is executed @@ -45,4 +46,5 @@ This plugin provides an integration with Azure Active Directory device flow. If To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code DEC7D48GA to authenticate. ``` - * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing next commands. + * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing further commands. + * The resulting username in Kubernetes depends on your [configuration of the `--oidc-username-claim` and `--oidc-username-prefix` flags on the API server](https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server). If you are using any authorization method you need to give permissions to that user, e.g. by binding the user to a role in the case of RBAC.