This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have an AKS cluster that has AzureAD, RBAC enabled I also have registered an app on AzureAD. Now I am trying to get a token with the typical go-oidc package flow with the necessary AzureAD configs but the token i get is not able to access AKS resources I get a 401 unauthorized error
Note: I have the required clusterrole and clusterrolebindings that allow the AzureAD group to access all the resources.
more info:
I have tried the same token with a minikube cluster locally which has oidc configured which works there
@Ashu Ghildiyal can you try cleaning up the KubeConfig via Kubectl config commands?
@Vidya Narasimhan i tried but still i get the 401 error
Could you please provide more details on exactly what point you get the 401 error? Provide the command or code and steps that leads to the error.
Hi @Ashu Ghildiyal we connected offline. During our chat, it was observed that your cluster was enabled for Azure RBAC but the principal which was trying to execute cluster operations was not assigned the Azure RBAC role. Instead, it had been assigned Kubernetes RBAC role.
As described in this link, when Azure RBAC is enabled, Azure AD principals will be validated by Azure RBAC while regular Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC.
https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac
So, the recommendation was to either disable Azure RBAC or assign the right role to the principal. Please let us know the results.