-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
failing kubernetes auth with oidc and azure apps and authorization with a specified Security Group #84730
Comments
Also tried as per https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens to provide kubectl config with oidc arguments based on first successful authentication with the azure app (config above), but same errors :
|
/sig azure These SIGs are my best guesses for this issue. Please comment 🤖 I am a bot run by vllry. 👩🔬 |
@athenabot: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@guillaumedossantos: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@kubernetes/sig-auth-test-failures |
@guillaumedossantos: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Required claims must be a string - an array of strings will not work. kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go Lines 620 to 634 in 27cf50d
|
As simple as that. Sorry I didn't read the code, I was sure it was expecting an array of strings because that is what
So I was under the impression that
So if I follow correctly, you just can't use required claim to require a specific group, that's a very important feature missing don't you think?? |
Why wouldn't you just not grant permission to that group? |
Sorry if I sound silly, but how so ? Edit : I recall that I don't use RBAC in my tests, because we don't use RBAC yet. |
I found a workaround.
|
I am having the same error. To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BJZQH4LQV to authenticate. Setting up SSO between our (regular, not AKS) kubernetes clusters and Azure AD Followed the document : https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration Could anyone pls help |
@guillaumedossantos @ahjsun with #121078 merged, this should be possible now as an alpha feature in v1.29. |
I'm trying to set up SSO between our (regular, not AKS) kubernetes clusters and Azure AD. Currently trying with kubectl binary installed on my computer.
It works when no groups are involved, but we want to filter by security group (accounts on AAD are synced from our onprem Active Directory), no kube RBAC involved.
Setup is inspired by https://medium.com/@olemarkus/using-azure-ad-to-authenticate-to-kubernetes-eb143d3cce10 and https://docs.microsoft.com/fr-fr/azure/aks/azure-ad-integration :
web app for kube api server configured to expose its API (add scope etc...) with app ID : abc123
native app for client kubectl configured with addition of api permission from the web app, with app ID : xyz456
kube api server yaml manifest , I add :
- --oidc-client-id=spn:abc123
- --oidc-issuer-url=https://sts.windows.net/OurAADTenantID
kubectl config set-cluster test-legacy-2 --server=https://192.168.x.y:4443 --certificate-authority=/somelocation/ca.pem
Also in the Azure client app manifest, had to specify :
"allowPublicClient":true,
"oauth2AllowIdTokenImplicitFlow":true
Otherwise had error "Failed to acquire a token: acquiring a new fresh token: waiting for device code authentication to complete: autorest/adal/devicetoken: Error while retrieving OAuth token: Unknown Error". Found on MicrosoftDocs/azure-docs#10326
Issues start when trying to filter on some security group that I find in the JWT as per https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
I am receiving a format error even though the JWT Azure sends me does contain the groups in the right format (json array of strings)
Config :
In azure web app manifest to have the groups in my JWT :
"groupMembershipClaims": "SecurityGroup",
kube api server yaml manifest :
- --oidc-groups-claim=groups
- --oidc-required-claim=groups=bbc2eedf-79cd-4505-9fb4-39856ed3790e
with the string here being the GUID of my target security group.
I am receiving error:
You must be logged in to the server (Unauthorized)
on output of kubectl and the kube api server logs provide me thisauthentication.go:62] Unable to authenticate the request due to an error: [invalid bearer token, [invalid bearer token, oidc: parse claim groups: json: cannot unmarshal array into Go value of type string]]
But I don't understand why it is not happy cause when I decode the JWT I do have
which to my knowledge is a well-formatted json array of strings...
The text was updated successfully, but these errors were encountered: