{"id":21358,"date":"2023-01-04T18:13:05","date_gmt":"2023-01-04T17:13:05","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=21358"},"modified":"2024-09-10T15:44:47","modified_gmt":"2024-09-10T13:44:47","slug":"kubernetes-sso-using-azure-ad-the-production-solution","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/","title":{"rendered":"Kubernetes SSO using Azure AD: The Production Solution"},"content":{"rendered":"\n

In my previous blog<\/a> I’ve detailed the tests we did regarding SSO in Kubernetes using Azure AD. I’ve described all the steps of our research on this topic in order to give our readers a real idea of how implementing a new solution happens. It is not a straight forward process and you have to explore several leads, do a lot of research and perform many tests in order to reach a satisfying solution that can be used on a production network.<\/p>\n\n\n\n

Summary of our first working scenario<\/h2>\n\n\n\n

Below is a summary of the working scenario that used HTTP as URL in Kubelogin as covered in my previous blog<\/a>:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Let’s quickly summarize it in order to understand why this solution is OK for testing but wasn’t satisfying enough as a production one.<\/p>\n\n\n\n

On the Office Computer<\/strong> we had to connect to host1<\/strong> using an SSH Tunnel in order to be able to use a Web Browser from this computer to reach the URL configured in Kubelogin (steps 1,2,3).<\/p>\n\n\n\n

From this URL we are redirected to Azure in order to authenticate and if successful, the Redirect URI parameter is compared to what is used as URL in Kubelogin. If both match then Azure generates a token that is sent to the apiserver (steps 4,5,6,7,8).<\/p>\n\n\n\n

This token will be active for a period of time and finally RBAC rules are applied in order to control the actions this user can do on this cluster (step 9).<\/p>\n\n\n\n

This scenario was not satisfying for the following reasons. By using HTTP we had no other option in Azure to set a different Redirect URI than localhost. As host1<\/strong> has no Graphical User Interface (GUI) we had to connect to it using an SSH Tunnel which is not great for our users as you have to keep this tunnel open while opening the Web Browser during the authentication process. This looks more like a testing solution than a production one so we kept pushing for a better solution.<\/p>\n\n\n\n

A Production Solution<\/h2>\n\n\n\n

As in Azure we can set any Redirect URI as long as it is HTTPS, the ideal solution would be to use HTTPS in Kubelogin as well, so we could set any URL that could be useful in our cluster environment. In my previous blog<\/a> we thought only HTTP was available for Kubelogin and we didn’t find any clear information regarding HTTPS. An old GitHub issue on this topic even showed it was not supported. Kudos to Arnaud Berbier<\/strong> (our DevOps Delivery Manager with years of experience as Senior Consultant and Platform Solution Architect at dbi-services<\/strong>) for figuring out the last missing bit of information required in Kubelogin for activating HTTPS which is then indeed supported! He is the boss for a reason and it will cost me a bottle of rhum but that is very well deserved!<\/p>\n\n\n\n

In our case we wanted to use the Fully Qualified Domain Name (FQDN) of host1<\/strong> as a URL and Redirect URI as this address is reachable from our Office Computer<\/strong> without the need of using an SSH Tunnel to host1<\/strong>. So this address will need to use HTTPS and 2 steps are required to achieve this: First generate the SSL certificates on host1<\/strong> and secondly use Kubelogin to use those newly generated certificates.<\/p>\n\n\n\n

You can create certificates on host1<\/strong> by using OpenSSL for example that will generate 2 files: host1.pem<\/strong> and host1.key<\/strong>. <\/p>\n\n\n\n

host1.pem<\/strong> is the public key and host1.key<\/strong> is the private key. You can now copy them in a folder that is secured and change the mode of both files to 400. Only the Kubernetes user on this host should be able to just read those files.<\/p>\n\n\n\n

Once done, you can set the credentials with kubectl<\/strong> as follows:<\/p>\n\n\n

\nkubectl config set-credentials <user_name> \\\n--exec-api-version=client.authentication.k8s.io\/v1beta1 \\\n--exec-command=kubectl \\\n--exec-arg=kubectl-oidc_login \\\n--exec-arg=get-token \\\n--exec-arg=--oidc-issuer-url="https:\/\/sts.windows.net\/...\/" \\\n--exec-arg=--oidc-client-id=... \\\n--exec-arg=--oidc-client-secret=...\n--exec-arg=--local-server-cert=\/certificate-path\/host1.pem\n--exec-arg=--local-server-key=\/certificate-path\/host1.key\n<\/pre><\/div>\n\n\n
It looks so simple when we know the solution! It is just a matter of using the 2 parameters local-server-cert<\/strong> and local-server-key<\/strong> that point to the certificates we have just generated.<\/p>\n\n\n\n
Now when you need to authenticate you can see the beautiful URL below:<\/p>\n\n\n
\n$ kubectl get pods\n \nPlease visit the following URL in your browser manually: https:\/\/host1:8000\n<\/pre><\/div>\n\n\n
Yes! HTTPS! So when you set that same address as Redirect URI on the Azure side it will authenticate and validate the Redirect URI and voil\u00e0!<\/p>\n\n\n\n
Let’s summarize this solution in the diagram below:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
What is different from the HTTP scenario is that Kubelogin is using the certificates generated and stored on host1<\/strong> and that the URL and Redirect URI are now using HTTPS with host1<\/strong> FQDN. Also now from the Office Computer<\/strong> we can use only SSH to connect to host1<\/strong> with no tunnels and the Web Browser can open the URL without requiring a tunnel for authenticating. This is exactly what we wanted!<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
We now have a solution we can deploy on production and I hope that you too will benefit from the information of this blog in order to implement a similar solution in your production cluster. With this blog and my previous one<\/a>, you should now be a Subject Matter Expert on this topic!<\/p>\n","protected":false},"excerpt":{"rendered":"
In my previous blog I’ve detailed the tests we did regarding SSO in Kubernetes using Azure AD. I’ve described all the steps of our research on this topic in order to give our readers a real idea of how implementing a new solution happens. It is not a straight forward process and you have to […]<\/p>\n","protected":false},"author":109,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3271,955,1320,1522],"tags":[995,1338,89,2764,2763,445],"type_dbi":[],"class_list":["post-21358","post","type-post","status-publish","format-standard","hentry","category-azure","category-cloud","category-devops","category-kubernetes","tag-authentication","tag-azure","tag-kubernetes","tag-oidc","tag-openid","tag-sso"],"acf":[],"yoast_head":"\nKubernetes SSO using Azure AD: The Production Solution - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kubernetes SSO using Azure AD: The Production Solution\" \/>\n<meta property=\"og:description\" content=\"In my previous blog I’ve detailed the tests we did regarding SSO in Kubernetes using Azure AD. I’ve described all the steps of our research on this topic in order to give our readers a real idea of how implementing a new solution happens. It is not a straight forward process and you have to […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-04T17:13:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-10T13:44:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/01\/SSO-Azure-HTTP-1024x580.jpg\" \/>\n<meta name=\"author\" content=\"DevOps\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"DevOps\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/\"},\"author\":{\"name\":\"DevOps\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735\"},\"headline\":\"Kubernetes SSO using Azure AD: The Production Solution\",\"datePublished\":\"2023-01-04T17:13:05+00:00\",\"dateModified\":\"2024-09-10T13:44:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/\"},\"wordCount\":836,\"commentCount\":2,\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/01\/SSO-Azure-HTTP-1024x580.jpg\",\"keywords\":[\"Authentication\",\"Azure\",\"kubernetes\",\"oidc\",\"openid\",\"SSO\"],\"articleSection\":[\"Azure\",\"Cloud\",\"DevOps\",\"Kubernetes\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/\",\"name\":\"Kubernetes SSO using Azure AD: The Production Solution - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/01\/SSO-Azure-HTTP-1024x580.jpg\",\"datePublished\":\"2023-01-04T17:13:05+00:00\",\"dateModified\":\"2024-09-10T13:44:47+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#primaryimage\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/01\/SSO-Azure-HTTP.jpg\",\"contentUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/01\/SSO-Azure-HTTP.jpg\",\"width\":2406,\"height\":1362},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kubernetes SSO using Azure AD: The Production Solution\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735\",\"name\":\"DevOps\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g\",\"caption\":\"DevOps\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/devops\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Kubernetes SSO using Azure AD: The Production Solution - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/","og_locale":"en_US","og_type":"article","og_title":"Kubernetes SSO using Azure AD: The Production Solution","og_description":"In my previous blog I’ve detailed the tests we did regarding SSO in Kubernetes using Azure AD. I’ve described all the steps of our research on this topic in order to give our readers a real idea of how implementing a new solution happens. It is not a straight forward process and you have to […]","og_url":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/","og_site_name":"dbi Blog","article_published_time":"2023-01-04T17:13:05+00:00","article_modified_time":"2024-09-10T13:44:47+00:00","og_image":[{"url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/01\/SSO-Azure-HTTP-1024x580.jpg","type":"","width":"","height":""}],"author":"DevOps","twitter_card":"summary_large_image","twitter_misc":{"Written by":"DevOps","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/"},"author":{"name":"DevOps","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735"},"headline":"Kubernetes SSO using Azure AD: The Production Solution","datePublished":"2023-01-04T17:13:05+00:00","dateModified":"2024-09-10T13:44:47+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/"},"wordCount":836,"commentCount":2,"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/01\/SSO-Azure-HTTP-1024x580.jpg","keywords":["Authentication","Azure","kubernetes","oidc","openid","SSO"],"articleSection":["Azure","Cloud","DevOps","Kubernetes"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/","url":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/","name":"Kubernetes SSO using Azure AD: The Production Solution - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#primaryimage"},"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/01\/SSO-Azure-HTTP-1024x580.jpg","datePublished":"2023-01-04T17:13:05+00:00","dateModified":"2024-09-10T13:44:47+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#primaryimage","url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/01\/SSO-Azure-HTTP.jpg","contentUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/01\/SSO-Azure-HTTP.jpg","width":2406,"height":1362},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/kubernetes-sso-using-azure-ad-the-production-solution\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Kubernetes SSO using Azure AD: The Production Solution"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/4cd1b5f8a3de93f05a16ab8d7d2b7735","name":"DevOps","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cdd2dd7441774355062c0f0f68612296b059cd1e2ff6c7af0b15dba0ed64a85f?s=96&d=mm&r=g","caption":"DevOps"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/devops\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/21358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/109"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=21358"}],"version-history":[{"count":26,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/21358\/revisions"}],"predecessor-version":[{"id":21618,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/21358\/revisions\/21618"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=21358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=21358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=21358"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=21358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}