[Question] AAD Auth and Lighthouse

[jkroepke]

Describe scenario We are working as a service provider in customer environments. We are using Azure Lighthouse for managing the customer infrastructure components.

Question I'm aware that Azure Lighthouse wont work with OAUTH2 and the Kubernetes AAD integration based in that. I would like to know, if its possible to allow multiple tenants on the managed AAD Auth Integration?

I'm looking for alternatives to guest accounts

[samhodgkinson]

@krnese - Is this something the Lighthouse team could help with answering ?

[jkroepke]

An potential solution would be to allow multiple tenants for the Managed Azure AD integration.

[samhodgkinson]

This is a similar problem when working with Azure SQL or Data Factory as other examples, so Its a wider issues of how Azure Lighthouse can manage the data plain.

Without having a user account within the customer tenant, which defeats the point of Lighthouse. There seems to be limited options.

• Create a customer tenant SPN as a shared auth point.
• Provided Lighthouse users with the Azure Kubernetes Service Cluster Admin role https://learn.microsoft.com/en-us/azure/aks/managed-aad#troubleshooting-access-issues-with-azure-ad.

I don't think there great options.

[jkroepke]

Provided Lighthouse users with the Azure Kubernetes Service Cluster Admin

This does not work (tested), since the Azure AD configuration in AKS only allows one tenant. Kubernetes just respond with unauthenticated. In background, Kubernetes uses oauth for the authentication which is not compatible with Lighthouse yet.

Aside from that, Kubernetes does not support multiple OAUTH issuers.

[samhodgkinson]

Thanks for the confirmation. I will see if there's any updates from Microsoft. But it looks like the initial solution for me is a shared SPN, which has its own problems.

[ghost]

Action required from @Azure/aks-pm

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[jkroepke]

Still interested

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[jkroepke]

Aside from that, Kubernetes does not support multiple OAUTH issuers.

With Kubernetes 1.30, its now supported.

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads