Hello Santhosh kumar Bhandari,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you would like to change the kube-apiserver with new OIDC (OpenID Connect) issuer URL with the external auth tool and also asking if there any way you can integrate AKS with other tools like Keycloak.
Solution
Firstly, to update the OIDC configuration for kube-apiserver
, you need to add or modify the following flags in the kube-apiserver configuration file or manifest:
- --oidc-issuer-url=https://<keycloak-server>/auth/realms/<realm>
- --oidc-client-id=<client-id>
- --oidc-username-claim=<username-claim>
- --oidc-groups-claim=<groups-claim> (if needed)
After you have done this, you will need to restart the kube-apiserver to apply the changes.
The example of the addition or modification snippet will look like the below:
spec:
containers:
- name: kube-apiserver
command:
- kube-apiserver
- --oidc-issuer-url=https://keycloak.example.com/auth/realms/myrealm
- --oidc-client-id=myclient
- --oidc-username-claim=preferred_username
- --oidc-groups-claim=groups
NOTE:
Now, if you are using Azure Kubernetes Service (AKS), updating the kube-apiserver directly is not possible because AKS manages the control plane. However, you can still integrate AKS with Keycloak for authentication by using Azure AD (Active Directory) as an intermediary.
To do this:
- Setup Keycloak by configuring Keycloak to federate with Azure AD.
- Create an App Registration in Azure AD and configure it for OIDC authentication.
- Use the Azure AD integration with AKS, and set up role-based access control (RBAC) accordingly.
- After integration, create an Azure AD application and assign Azure AD roles.
- Finally, enable AKS integration with Azure AD.
- The steps here might be too lengthy for the page, kindly use the links in the references.
References
For more detailed step by steps instructions, you can refer to the following resources:
Source: Integrate Microsoft Entra ID with AKS. and https://learn.microsoft.com/en-us/azure/aks/azure-ad-integration-cli. Accessed, 6/12/2024.
Source: Keycloak and Azure AD integration tutorial. Accessed, 6/12/2024.
Source: Detailed setup guide for Azure AD in Keycloak. Accessed, 6/12/2024.
Source: Create an OpenID Connect provider for your AKS cluster-Azure. Accessed, 6/12/2024.
Source: Deploy and configure an AKS cluster with workload identity - Azure. Accessed, 6/12/2024.
Source: Use Microsoft Entra ID and Kubernetes RBAC for clusters - Azure. Accessed, 6/12/2024.
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,
Sina Salam