Hi NDUBUISI CHRISTOPHER OKPALA,
Make sure your Issuer URL is complete. It should typically look like this: https://login.microsoftonline.com/{tenant-id}/v2.0. Make sure you replace {tenant-id} with your actual Tenant ID.
Ensure that the permissions you've set in Entra ID (like openid
, profile
, email
, and User.Read
) are correct and that the user account you are testing has been assigned to the corresponding Azure AD groups.
Verify that the /etc/rancher/k3s/config.yaml file includes the correct OIDC arguments:
--kube-apiserver-arg=oidc-issuer-url=https://login.microsoftonline.com//v2.0
--kube-apiserver-arg=oidc-client-id=
--kube-apiserver-arg=oidc-username-claim=email
--kube-apiserver-arg=oidc-groups-claim=groups
Use tools like kubelogin to authenticate users via OIDC and ensure kubectl is configured to use the obtained token for cluster access
RBAC Role and RoleBinding Configuration:
Even with successful authentication, users won't have permissions without proper RBAC roles.
So, create Role or ClusterRole and bind them to users or groups using RoleBinding or ClusterRoleBinding.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: entra-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: User
name: user@example.com
apiGroup: rbac.authorization.k8s.io
After binding, try to login and perform some operations, like creating pods or other resources, to test whether the permissions are correctly applied.
https://learn.microsoft.com/en-us/azure/aks/concepts-identity
https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac?tabs=portal
Can you confirm whether your K3s Kubernetes cluster is running on-premises or is it hosted in Azure (such as through AKS or Azure VMs)?
If you found information helpful, please click "Upvote" on the post to let us know.
If you have any further queries, feel free to reach out — we’re always happy to assist you.
Thank You.