Issues with Entra id setup for onprem kubernetes clusters (kubeadm installed) already onboarded to azure arc for kubernetes

Question

Issues with Entra id setup for onprem kubernetes clusters (kubeadm installed) already onboarded to azure arc for kubernetes

Nelson Nwajie 5

currently following this steps here

https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/azure-rbac

seeing this error

I0522 14:23:37.752547 983629 cached_discovery.go:77] returning cached discovery info from /home/nelson.nwajie/.kube/cache/discovery/192.168.98.11_6443/batch/v1/serverresources.json

I0522 14:23:37.752631 983629 cached_discovery.go:77] returning cached discovery info from /home/nelson.nwajie/.kube/cache/discovery/192.168.98.11_6443/crd.projectcalico.org/v1/serverresources.json

I0522 14:23:37.752679 983629 cached_discovery.go:77] returning cached discovery info from /home/nelson.nwajie/.kube/cache/discovery/192.168.98.11_6443/autoscaling/v1/serverresources.json

I0522 14:23:37.752741 983629 cached_discovery.go:77] returning cached discovery info from /home/nelson.nwajie/.kube/cache/discovery/192.168.98.11_6443/v1/serverresources.json

I0522 14:23:37.752776 983629 cached_discovery.go:77] returning cached discovery info from /home/nelson.nwajie/.kube/cache/discovery/192.168.98.11_6443/clusterconfig.azure.com/v1beta1/serverresources.json

I0522 14:23:37.752789 983629 cached_discovery.go:77] returning cached discovery info from /home/nelson.nwajie/.kube/cache/discovery/192.168.98.11_6443/discovery.k8s.io/v1/serverresources.json

I0522 14:23:37.752800 983629 cached_discovery.go:77] returning cached discovery info from /home/nelson.nwajie/.kube/cache/discovery/192.168.98.11_6443/operator.tigera.io/v1/serverresources.json

I0522 14:23:37.752964 983629 cached_discovery.go:77] returning cached discovery info from /home/nelson.nwajie/.kube/cache/discovery/192.168.98.11_6443/apps/v1/serverresources.json

I0522 14:23:37.753204 983629 cached_discovery.go:77] returning cached discovery info from /home/nelson.nwajie/.kube/cache/discovery/192.168.98.11_6443/projectcalico.org/v3/serverresources.json

I0522 14:23:37.757161 983629 round_trippers.go:466] curl -v -XGET -H "Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json" -H "User-Agent: kubectl/v1.31.0 (linux/amd64) kubernetes/9edcffc" 'https://192.168.98.11:6443/api/v1/nodes?limit=500'

I0522 14:23:38.126255 983629 round_trippers.go:510] HTTP Trace: Dial to tcp:192.168.98.11:6443 succeed

I0522 14:24:08.481808 983629 round_trippers.go:553] GET https://192.168.98.11:6443/api/v1/nodes?limit=500 401 Unauthorized in 30724 milliseconds

I0522 14:24:08.481876 983629 round_trippers.go:570] HTTP Statistics: DNSLookup 0 ms Dial 0 ms TLSHandshake 6 ms ServerProcessing 30001 ms Duration 30724 ms

I0522 14:24:08.481902 983629 round_trippers.go:577] Response Headers:

I0522 14:24:08.481930 983629 round_trippers.go:580] Content-Length: 129

I0522 14:24:08.481952 983629 round_trippers.go:580] Date: Thu, 22 May 2025 14:24:08 GMT

I0522 14:24:08.481973 983629 round_trippers.go:580] Audit-Id: eaba8024-da63-424a-a5cd-6f1b472f74db

I0522 14:24:08.481993 983629 round_trippers.go:580] Cache-Control: no-cache, private

I0522 14:24:08.482013 983629 round_trippers.go:580] Content-Type: application/json

I0522 14:24:08.482070 983629 request.go:1351] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

I0522 14:24:08.482631 983629 helpers.go:246] server response object: [{

"kind": "Status",

"apiVersion": "v1",

"metadata": {},

"status": "Failure",

"message": "Unauthorized",

"reason": "Unauthorized",

"code": 401

}]

error: You must be logged in to the server (Unauthorized)

my kubeconfig looks like this

apiVersion: v1

clusters:

cluster: certificate-authority-data:

Anusree Nashetty 4,385 Reputation points Microsoft External Staff Moderator

2025-05-22T21:05:48.6733333+00:00

Hello Nelson Nwajie,

I understand you're encountering issues while setting up Entra ID for a Kubernetes cluster that has already been onboarded to Azure. To assist you more effectively, could you please confirm whether this setup is intended for an on-premises environment or is being applied within Azure?

Your confirmation will help me better understand the context and identify the right solution path.
Nelson Nwajie 5 Reputation points

2025-05-22T21:12:43.8533333+00:00

Yes the setup is onpremise, i installed kubernetes on our onpremise servers, and joined it to azure arc. i am currently setting up access through Microsoft entraid but running into so much errors.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-05-23T05:52:57.7666667+00:00
Hello Nelson Nwajie, Please share the output of below commands-

kubectl config use-context <context-name> kubectl get nodes

If you see a 401 here, that will confirm the token is not being accepted. We can narrow down on the blocker atleast.

If you see it's not already enabled, then enable Azure RBAC

az connectedk8s enable-features \ --name <cluster-name> \ --resource-group <resource-group> \ --features azure-rbac \ --skip-azure-rbac-list "nelson.nwajie@example.com"

here observe that I have kept --skip-azure-rbac-list . This ensures your user still works via ClusterRoleBinding while testing.

If you succeed till the above suggested steps then confirm Arc AAD components are running fine or not by running- kubectl get pods -n azure-arc

You will see some pods having names like this- azure-arc-aad-proxy or azure-arc-agent

and inside your Azure , your id whatever is the name there suppose it's nelson. Assign Entra ID Role in Azure to that id. Atleast add these two- Azure Arc Kubernetes Cluster Admin and Azure Kubernetes Viewer. Best if you can add contributor. You can do this from portal or cli. Upto you. If CLI then replace <object-id-or-username> with either Entra ID Object ID or UPN

az role assignment create \ --assignee <object-id-or-username> \ --role "Azure Arc Kubernetes Cluster Admin" \ --scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Kubernetes/connectedClusters/<cluster-name>

If done so far without blocker then do a fresh login using az login, clearly set your subscription using az account set --subscription <sub-id> and then do a kubectl get nodes

If everything was done correctly so far then it should not show 401 Unauthorized error, and nodes list will appear successfully.

If the issue persists, you can test bypassing Azure RBAC by creating a local Kubernetes

kubectl create clusterrolebinding nelson-admin-binding \ --clusterrole=cluster-admin \ --user="nelson.nwajie@example.com"

Let me know your findings. Thanks
Anusree Nashetty 4,385 Reputation points Microsoft External Staff Moderator

2025-05-23T19:22:07.7166667+00:00

Hi Nelson Nwajie,

Could you please check the information provided above and let us know the details.
Mounika Reddy Anumandla 6,585 Reputation points Microsoft External Staff Moderator

2025-05-26T05:07:57.6566667+00:00

Hello Nelson Nwajie,
Just checking to see if you had a chance to review the response provided to your question!

If you have any further queries, please let me know.

If the information is helpful, please click "upvote" to let us know.

1 answer

Your answer

Anusree Nashetty 4,385 Reputation points Microsoft External Staff Moderator

2025-05-22T21:05:48.6733333+00:00

Hello Nelson Nwajie,

I understand you're encountering issues while setting up Entra ID for a Kubernetes cluster that has already been onboarded to Azure. To assist you more effectively, could you please confirm whether this setup is intended for an on-premises environment or is being applied within Azure?

Your confirmation will help me better understand the context and identify the right solution path.
Nelson Nwajie 5 Reputation points

2025-05-22T21:12:43.8533333+00:00

Yes the setup is onpremise, i installed kubernetes on our onpremise servers, and joined it to azure arc. i am currently setting up access through Microsoft entraid but running into so much errors.
Anusree Nashetty 4,385 Reputation points Microsoft External Staff Moderator

2025-05-23T19:22:07.7166667+00:00

Hi Nelson Nwajie,

Could you please check the information provided above and let us know the details.
Mounika Reddy Anumandla 6,585 Reputation points Microsoft External Staff Moderator

2025-05-26T05:07:57.6566667+00:00

Hello Nelson Nwajie,
Just checking to see if you had a chance to review the response provided to your question!

If you have any further queries, please let me know.

If the information is helpful, please click "upvote" to let us know.

Answer 1

Hello Nelson Nwajie,

I understand you're running on-prem Kubernetes, joined to Azure Arc, and you're now trying to integrate access using Microsoft Entra ID (formerly Azure AD) via Azure RBAC.

Here’s how we can troubleshoot and resolve the 401 Unauthorized error you're facing, step-by-step.

Prerequisites Checklist

Please verify that all of these are done:

Kubernetes is connected to Azure Arc.
- az connectedk8s show -n <cluster-name> -g <resource-group> should return valid metadata.

Azure Arc features are enabled. Run:

   az connectedk8s enable-features -n <cluster-name> -g <resource-group> --features azure-rbac

Entra ID integration is enabled.
- You should have installed the aad-pod-identity or enabled Microsoft Entra integration during Arc onboarding.
- Arc agent and Azure Arc AAD proxy pods should be running in the azure-arc namespace:
```
     kubectl get pods -n azure-arc
```
You’re assigned an Azure RBAC role like Azure Arc Kubernetes Cluster Admin on the Arc resource in Azure:
```
   az role assignment list --assignee <your-user-or-group> --scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Kubernetes/connectedClusters/<cluster-name>
```
Note Before you run the enable-features command, ensure that the kubeconfig file on the machine points to the cluster on which you want to enable Azure RBAC. Use --skip-azure-rbac-list with this command for a comma-separated list of usernames, emails, and OpenID connections undergoing authorization checks by using Kubernetes native ClusterRoleBinding and RoleBinding objects instead of Azure RBAC.

Also see: https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/cluster-connect?tabs=azure-powershell#microsoft-entra-authentication-option

Hope it helps!

Let me know if you have any further queries!

Share via

Issues with Entra id setup for onprem kubernetes clusters (kubeadm installed) already onboarded to azure arc for kubernetes

1 answer

Your answer