Changing the OIDC provider for the AKS cluster

Santhosh kumar Bhandari 0 Reputation points
2024-06-12T11:09:19.0433333+00:00

Hi Team,

I am trying to change the kube-apiserver with new oidc issuer url with the external auth tool. I don't see the option for the updating the kube api-server. Is there any way we can integrate AKS with other tools like keycloak?

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,977 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 6,966 Reputation points
    2024-06-12T12:54:45.3866667+00:00

    Hello Santhosh kumar Bhandari,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to change the kube-apiserver with new OIDC (OpenID Connect) issuer URL with the external auth tool and also asking if there any way you can integrate AKS with other tools like Keycloak.

    Solution

    Firstly, to update the OIDC configuration for kube-apiserver, you need to add or modify the following flags in the kube-apiserver configuration file or manifest:

    • --oidc-issuer-url=https://<keycloak-server>/auth/realms/<realm>
    • --oidc-client-id=<client-id>
    • --oidc-username-claim=<username-claim>
    • --oidc-groups-claim=<groups-claim> (if needed)

    After you have done this, you will need to restart the kube-apiserver to apply the changes.

    The example of the addition or modification snippet will look like the below:

    spec:
      containers:
      - name: kube-apiserver
        command:
        - kube-apiserver
        - --oidc-issuer-url=https://keycloak.example.com/auth/realms/myrealm
        - --oidc-client-id=myclient
        - --oidc-username-claim=preferred_username
        - --oidc-groups-claim=groups
    

    NOTE:

    Now, if you are using Azure Kubernetes Service (AKS), updating the kube-apiserver directly is not possible because AKS manages the control plane. However, you can still integrate AKS with Keycloak for authentication by using Azure AD (Active Directory) as an intermediary.

    To do this:

    • Setup Keycloak by configuring Keycloak to federate with Azure AD.
    • Create an App Registration in Azure AD and configure it for OIDC authentication.
    • Use the Azure AD integration with AKS, and set up role-based access control (RBAC) accordingly.
    • After integration, create an Azure AD application and assign Azure AD roles.
    • Finally, enable AKS integration with Azure AD.
    • The steps here might be too lengthy for the page, kindly use the links in the references.

    References

    For more detailed step by steps instructions, you can refer to the following resources:

    Source: Integrate Microsoft Entra ID with AKS​. and https://learn.microsoft.com/en-us/azure/aks/azure-ad-integration-cli. Accessed, 6/12/2024.​

    Source: Keycloak and Azure AD integration tutorial​.​ Accessed, 6/12/2024.

    Source: Detailed setup guide for Azure AD in Keycloak​. Accessed, 6/12/2024.

    Source: Create an OpenID Connect provider for your AKS cluster-Azure. Accessed, 6/12/2024.

    Source: Deploy and configure an AKS cluster with workload identity - Azure. Accessed, 6/12/2024.

    Source: Use Microsoft Entra ID and Kubernetes RBAC for clusters - Azure. Accessed, 6/12/2024.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam