Use EntraID to manage Role Base Access Control in on premises Kubernetes Cluster running on k3s

NDUBUISI CHRISTOPHER OKPALA 0 Reputation points
2025-05-21T17:22:28.7966667+00:00

I want to be able to use EntraID to manage Role Base Access Control in on premises K3s Kubernetes Cluster.

I have done the following steps below. However, I am still having issues in achieving that:

Entra ID Integration via OIDC

a. Entra ID App Registration (OIDC Provider Setup)

  • Created a new App Registration in Entra ID named k3s-oidc-auth.
  • Set the Redirect URI to https://kubeapi.yourdomain.com/oauth2/callback.
  • Set the following API permissions:
    • openid
    • profile
    • email
    • User.Read
  • Created a client secret.
  • Captured:
    • Client ID
    • Client Secret
    • Tenant ID
  • Issuer URL: `https://login.microsoftonline.com/<tenant-id>/v2.0 k3s Configuration for OIDC

I have created a config.yaml file in this path = /etc/rancher/k3s/config and updated it with the following:

kube-apiserver-arg:
  - "--oidc-issuer-url=https://login.microsoftonline.com/<tenant-id>/v2.0"  
 - "--oidc-client-id=<client-id>"   
- "--oidc-username-claim=email"
  - "--oidc-groups-claim=groups"

Users authenticate using kubelogin to get an OIDC token and run kubectl. with the command line below works well


kubelogin get-token \
  --login azurecli \
  --client-id <client-id> \
  --tenant-id <tenant-id> \
  --server-id <client-id>

Sample ~/.kube/config Using Entra ID (OIDC)

apiVersion: v1
kind: Config
clusters:
- cluster:
    #certificate-authority-data: <base64-ca-cert>
    insecure-skip-tls-verify: true #for dev testing
    server: https://kubeapi.yourdomain.com:6443
  name: k3s-oidc-cluster
contexts:
- context:
    cluster: k3s-oidc-cluster
    user: oidc-user
  name: oidc-context
current-context: oidc-context
users:
- name: oidc-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: kubelogin
      args:
        - get-token- 
        --environment
        - AzurePublicCloud        
        - --login
        - spn
        - --client-secret
        - <secret>
        - --client-id
        - <client-id>
        - --tenant-id
        - <tenant-id>
        - --server-id
        - <client-id>
      env: null


Restarted K3s using:

sudo systemctl restart k3s

Authentication Fails Despite OIDC Config setup.

When running kubectl with command below:

KUBECONFIG=~/.kube/config kubectl get nodes

E0521 <random-numbers>  355238 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"
E0521 <random-numbers>  355238 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"
E0521 <random-numbers>  355238 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"


Running this command below shows that the config saved at this path = /etc/rancher/k3s/config

Is not being detected and picked up by the ks3 server

ps aux | grep k3s-server

Please I will like to know what I am missing here and how to get this issue resolved.

Thanks

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,456 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Pramidha Yathipathi 1,135 Reputation points Microsoft External Staff Moderator
    2025-05-23T00:24:19.6433333+00:00

    Hi NDUBUISI CHRISTOPHER OKPALA,

    Make sure your Issuer URL is complete. It should typically look like this: https://login.microsoftonline.com/{tenant-id}/v2.0. Make sure you replace {tenant-id} with your actual Tenant ID.

    Ensure that the permissions you've set in Entra ID (like openid, profile, email, and User.Read) are correct and that the user account you are testing has been assigned to the corresponding Azure AD groups.

    Verify that the /etc/rancher/k3s/config.yaml file includes the correct OIDC arguments:

     --kube-apiserver-arg=oidc-issuer-url=https://login.microsoftonline.com//v2.0
    --kube-apiserver-arg=oidc-client-id=
    --kube-apiserver-arg=oidc-username-claim=email
    --kube-apiserver-arg=oidc-groups-claim=groups
    

    Use tools like kubelogin to authenticate users via OIDC and ensure kubectl is configured to use the obtained token for cluster access

    RBAC Role and RoleBinding Configuration:

    Even with successful authentication, users won't have permissions without proper RBAC roles.

    So, create Role or ClusterRole and bind them to users or groups using RoleBinding or ClusterRoleBinding.

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: entra-admin-binding
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: User
      name: user@example.com
      apiGroup: rbac.authorization.k8s.io
    

    After binding, try to login and perform some operations, like creating pods or other resources, to test whether the permissions are correctly applied.

    https://learn.microsoft.com/en-us/azure/aks/concepts-identity

    https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac?tabs=portal

    Can you confirm whether your K3s Kubernetes cluster is running on-premises or is it hosted in Azure (such as through AKS or Azure VMs)?

    If you found information helpful, please click "Upvote" on the post to let us know.

    If you have any further queries, feel free to reach out — we’re always happy to assist you.

    Thank You.

    0 comments No comments

  2. Alex Burlachenko 10,255 Reputation points
    2025-05-23T08:16:04.4266667+00:00

    Dear Ndubuisi Christopher Okpala,

    Thank you for sharing your question on the Q&A portal! It’s great to see you exploring Entra ID integration with Kubernetes for role-based access control. I’ll try to help clarify the steps and address the issues you’re facing. An additional from me to comment of Pramidha Yathipathi (thanks a lot for that for him).

    First, you’ve done a good job setting up the App Registration in Entra ID for OIDC authentication. However, since you’re using an on-premises k3s cluster (not Azure Kubernetes Service), the configuration will need some adjustments. For OIDC to work with k3s, you’ll need to ensure the kube-apiserver is properly configured with the OIDC flags. Microsoft’s documentation explains the OIDC setup here: Microsoft Entra ID OAuth 2.0 and OpenID Connect protocols.

    Here’s what you might be missing:

    The kube-apiserver in your k3s cluster needs these OIDC parameters added to its startup flags (usually in /etc/rancher/k3s/config.yaml or as command-line args):

    kube-apiserver-arg:
      - --oidc-issuer-url=https://login.microsoftonline.com/your-tenant-id/v2.0
      - --oidc-client-id=your-client-id-from-entra-id
      - --oidc-username-claim=email
      - --oidc-groups-claim=groups
    
    

    Note that the your-tenant-id should be replaced with your actual Entra ID tenant ID. Also, make sure the groups claim is included in the Entra ID token. You can configure this in the App Registration’s token configuration settings. For more details, check: Configure group claims for applications.

    Another common pitfall is the redirect URI. Since you’re on-premises, ensure https://kubeapi.yourdomain.com is accessible from your network and the DNS resolves correctly. The callback URL must match exactly what’s in Entra ID, including the /oauth2/callback path.

    For role-based access control (RBAC), you’ll need to create Kubernetes Role and RoleBinding resources that map to the Entra ID groups or users. For example, if you have a group in Entra ID called k8s-admins, you can create a ClusterRoleBinding like this:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: entra-admins-binding
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: Group
      name: "k8s-admins"
      apiGroup: rbac.authorization.k8s.io
    
    

    This example grants the cluster-admin role to anyone in the k8s-admins group. You can find more about Kubernetes RBAC here: Using RBAC Authorization.

    Lastly, don’t forget to restart the k3s service after updating the configuration (sudo systemctl restart k3s). If you’re still having trouble, check the kube-apiserver logs for OIDC-related errors (journalctl -u k3s -n 100).

    Hope this helps! Let me know if you run into any specific errors

    Best regards,
    Alex
    P.S. If my answer help to you, please Accept my answer
    PPS That is my Answer and not a Comment
    https://ctrlaltdel.blog/
    
    0 comments No comments

  3. Jinnie Nguyen 310 Reputation points Independent Advisor
    2025-05-26T09:28:36.33+00:00

    Hello,

    Thank you for sharing the details of your setup. The App Registration you created and the issue you're encountering with Kubernetes RBAC (Role-Based Access Control) are two separate concerns.

    While the App Registration is a necessary step for enabling OpenID Connect (OIDC) authentication, it does not automatically configure or enforce RBAC in your Kubernetes cluster—especially in a k3s environment.

    To ensure your setup aligns with Azure AD-based RBAC for Kubernetes, please review: https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac?tabs=portal

    This guide walks through:

    • Proper integration of Azure AD with AKS
    • How to assign roles to users and groups
    • How authentication and authorization are handled in AKS

    If I have answered your question, please accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!

    Best regards,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.