Skip to content

Commit 1b176da

Browse files
MGoedtelMGoedtel
committed
draft restructure of OIDC content
1 parent 25ac34a commit 1b176da

File tree

2 files changed

+65
-49
lines changed

2 files changed

+65
-49
lines changed

articles/aks/cluster-configuration.md

Lines changed: 1 addition & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,8 @@
11
---
22
title: Cluster configuration in Azure Kubernetes Services (AKS)
33
description: Learn how to configure a cluster in Azure Kubernetes Service (AKS)
4-
services: container-service
54
ms.topic: article
6-
ms.custom: ignite-2022
7-
ms.date: 12/09/2022
5+
ms.date: 02/16/2023
86
---
97

108
# Configure an AKS cluster
@@ -386,52 +384,6 @@ To remove Node Restriction from a cluster.
386384
az aks update -n aks -g myResourceGroup --disable-node-restriction
387385
```
388386

389-
## OIDC Issuer
390-
391-
You can enable an OIDC Issuer URL of the provider, which allows the API server to discover public signing keys. The maximum lifetime of the token issued by the OIDC provider is 1 day.
392-
393-
> [!WARNING]
394-
> Enable or disable OIDC Issuer changes the current service account token issuer to a new value, which can cause down time and restarts the API server. If the application pods using a service token remain in a failed state after you enable or disable the OIDC Issuer, we recommend you manually restart the pods.
395-
396-
### Prerequisites
397-
398-
* The Azure CLI version 2.42.0 or higher. Run `az --version` to find your version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
399-
* AKS version 1.22 and higher. If your cluster is running version 1.21 and the OIDC Issuer preview is enabled, we recommend you upgrade the cluster to the minimum required version supported.
400-
401-
### Create an AKS cluster with OIDC Issuer
402-
403-
Create an AKS cluster using the [az aks create][az-aks-create] command with the `--enable-oidc-issuer` parameter to use the OIDC Issuer (preview). The following example creates a cluster named *myAKSCluster* with one node in the *myResourceGroup*:
404-
405-
```azurecli-interactive
406-
az aks create -g myResourceGroup -n myAKSCluster --node-count 1 --enable-oidc-issuer
407-
```
408-
409-
### Update an AKS cluster with OIDC Issuer
410-
411-
Update an AKS cluster using the [az aks update][az-aks-update] command with the `--enable-oidc-issuer` parameter to use the OIDC Issuer (preview). The following example updates a cluster named *myAKSCluster*:
412-
413-
```azurecli-interactive
414-
az aks update -g myResourceGroup -n myAKSCluster --enable-oidc-issuer
415-
```
416-
417-
### Show the OIDC Issuer URL
418-
419-
To get the OIDC Issuer URL, run the following command. Replace the default values for the cluster name and the resource group name.
420-
421-
```azurecli-interactive
422-
az aks show -n myAKScluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv
423-
```
424-
425-
### Rotate the OIDC key
426-
427-
To rotate the OIDC key, perform the following command. Replace the default values for the cluster name and the resource group name.
428-
429-
```azurecli-interactive
430-
az aks oidc-issuer rotate-signing-keys -n myAKSCluster -g myResourceGroup
431-
```
432-
433-
> [!IMPORTANT]
434-
> Once you rotate the key, the old key (key1) expires after 24 hours. This means that both the old key (key1) and the new key (key2) are valid within the 24-hour period. If you want to invalidate the old key (key1) immediately, you need to rotate the OIDC key twice. Then key2 and key3 are valid, and key1 is invalid.
435387

436388
## Next steps
437389

articles/aks/use-oidc-issuer.md

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
---
2+
title: Create an OpenID Connect provider for your Azure Kubernetes Service (AKS) cluster
3+
description: Learn how to configure the OpenID Connect (OIDC) provider for a cluster in Azure Kubernetes Service (AKS)
4+
ms.topic: article
5+
ms.date: 02/16/2023
6+
---
7+
8+
# Create an OpenID Connect provider on Azure Kubernetes Service (AKS)
9+
10+
OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol. You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications by using a security token called an ID token. With your AKS cluster, you can enable OpenID Connect (OIDC) Issuer, which allows Azure Active Directory (Azure AD) or other cloud provider identity and access management platform, to discover the API server's public signing keys.
11+
12+
AKS rotates the key automatically and periodically. If you don't want to wait, you can rotate the key manually and immediately. The maximum lifetime of the token issued by the OIDC provider is one day.
13+
14+
> [!WARNING]
15+
> Enable or disable OIDC Issuer changes the current service account token issuer to a new value, which can cause down time and restarts the API server. If the application pods using a service token remain in a failed state after you enable or disable the OIDC Issuer, we recommend you manually restart the pods.
16+
17+
## Prerequisites
18+
19+
* The Azure CLI version 2.42.0 or higher. Run `az --version` to find your version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
20+
* AKS supports OIDC Issuer on version 1.22 and higher.
21+
22+
## Create an AKS cluster with OIDC Issuer
23+
24+
You can create an AKS cluster using the [az aks create][az-aks-create] command with the `--enable-oidc-issuer` parameter to use the OIDC Issuer. The following example creates a cluster named *myAKSCluster* with one node in the *myResourceGroup*:
25+
26+
```azurecli-interactive
27+
az aks create -g myResourceGroup -n myAKSCluster --node-count 1 --enable-oidc-issuer
28+
```
29+
30+
## Update an AKS cluster with OIDC Issuer
31+
32+
You can update an AKS cluster using the [az aks update][az-aks-update] command with the `--enable-oidc-issuer` parameter to use the OIDC Issuer. The following example updates a cluster named *myAKSCluster*:
33+
34+
```azurecli-interactive
35+
az aks update -g myResourceGroup -n myAKSCluster --enable-oidc-issuer
36+
```
37+
38+
## Show the OIDC Issuer URL
39+
40+
To get the OIDC Issuer URL, run the [az aks show][az-aks-show] command. Replace the default values for the cluster name and the resource group name.
41+
42+
```azurecli-interactive
43+
az aks show -n myAKScluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv
44+
```
45+
46+
### Rotate the OIDC key
47+
48+
To rotate the OIDC key, run the [az aks oidc-issuer][az-aks-oidc-issuer] command. Replace the default values for the cluster name and the resource group name.
49+
50+
```azurecli-interactive
51+
az aks oidc-issuer rotate-signing-keys -n myAKSCluster -g myResourceGroup
52+
```
53+
54+
> [!IMPORTANT]
55+
> Once you rotate the key, the old key (key1) expires after 24 hours. This means that both the old key (key1) and the new key (key2) are valid within the 24-hour period. If you want to invalidate the old key (key1) immediately, you need to rotate the OIDC key twice. Then key2 and key3 are valid, and key1 is invalid.
56+
57+
<!-- LINKS - external -->
58+
59+
<!-- LINKS - internal -->
60+
[azure-cli-install]: /cli/azure/install-azure-cli
61+
[az-aks-create]: /cli/azure/aks#az-aks-create
62+
[az-aks-update]: /cli/azure/aks#az-aks-update
63+
[az-aks-show]: /cli/azure/aks#az-aks-show
64+
[az-aks-oidc-issuer]: /cli/azure/aks/oidc-issuer

0 commit comments

Comments
 (0)