|
2 | 2 | title: Create an OpenID Connect provider for your Azure Kubernetes Service (AKS) cluster |
3 | 3 | description: Learn how to configure the OpenID Connect (OIDC) provider for a cluster in Azure Kubernetes Service (AKS) |
4 | 4 | ms.topic: article |
5 | | -ms.date: 02/16/2023 |
| 5 | +ms.date: 02/21/2023 |
6 | 6 | --- |
7 | 7 |
|
8 | 8 | # Create an OpenID Connect provider on Azure Kubernetes Service (AKS) |
9 | 9 |
|
10 | | -OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol. You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications by using a security token called an ID token. With your AKS cluster, you can enable OpenID Connect (OIDC) Issuer, which allows Azure Active Directory (Azure AD) or other cloud provider identity and access management platform, to discover the API server's public signing keys. |
| 10 | +[OpenID Connect][open-id-connect-overview] (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol issued by Azure Active Directory (Azure AD). You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications, on your Azure Kubernetes Service (AKS) cluster, by using a security token called an ID token. With your AKS cluster, you can enable OpenID Connect (OIDC) Issuer, which allows Azure Active Directory (Azure AD) or other cloud provider identity and access management platform, to discover the API server's public signing keys. |
11 | 11 |
|
12 | 12 | AKS rotates the key automatically and periodically. If you don't want to wait, you can rotate the key manually and immediately. The maximum lifetime of the token issued by the OIDC provider is one day. |
13 | 13 |
|
14 | 14 | > [!WARNING] |
15 | | -> Enable or disable OIDC Issuer changes the current service account token issuer to a new value, which can cause down time and restarts the API server. If the application pods using a service token remain in a failed state after you enable or disable the OIDC Issuer, we recommend you manually restart the pods. |
| 15 | +> Enable or disable OIDC Issuer changes the current service account token issuer to a new value, which can cause down time and restarts the API server. If your application pods using a service token remain in a failed state after you enable or disable the OIDC Issuer, we recommend you manually restart the pods. |
16 | 16 |
|
17 | 17 | ## Prerequisites |
18 | 18 |
|
@@ -54,11 +54,19 @@ az aks oidc-issuer rotate-signing-keys -n myAKSCluster -g myResourceGroup |
54 | 54 | > [!IMPORTANT] |
55 | 55 | > Once you rotate the key, the old key (key1) expires after 24 hours. This means that both the old key (key1) and the new key (key2) are valid within the 24-hour period. If you want to invalidate the old key (key1) immediately, you need to rotate the OIDC key twice. Then key2 and key3 are valid, and key1 is invalid. |
56 | 56 |
|
| 57 | +## Next steps |
| 58 | + |
| 59 | +* Review [Azure AD workload identity][azure-ad-workload-identity-overview] (preview). This authentication method integrates with the Kubernetes native capabilities to federate with any external identity providers on behalf of the application. |
| 60 | +* See [Secure pod network traffic][secure-pod-network-traffic] to understand how to use the Network Policy engine and create Kubernetes network policies to control the flow of traffic between pods in AKS. |
| 61 | + |
57 | 62 | <!-- LINKS - external --> |
58 | 63 |
|
59 | 64 | <!-- LINKS - internal --> |
| 65 | +[open-id-connect-overview]: ../active-directory/fundamentals/auth-oidc.md |
60 | 66 | [azure-cli-install]: /cli/azure/install-azure-cli |
61 | 67 | [az-aks-create]: /cli/azure/aks#az-aks-create |
62 | 68 | [az-aks-update]: /cli/azure/aks#az-aks-update |
63 | 69 | [az-aks-show]: /cli/azure/aks#az-aks-show |
64 | | -[az-aks-oidc-issuer]: /cli/azure/aks/oidc-issuer |
| 70 | +[az-aks-oidc-issuer]: /cli/azure/aks/oidc-issuer |
| 71 | +[azure-ad-workload-identity-overview]: workload-identity-overview.md |
| 72 | +[secure-pod-network-traffic]: use-network-policies.md |
0 commit comments