Merge pull request #18226 from sethmanheim/akstsg6-17

sethmanheim · web-flow · commit 861d4c979ed7 · 2025-06-24T10:02:58.000-07:00
Add new AKS Arc kubectl TSG
diff --git a/AKS-Arc/TOC.yml b/AKS-Arc/TOC.yml
@@ -189,6 +189,8 @@
       href: network-validation-errors.md
     - name: Network validation error due to .local domain
       href: network-validation-error-local.md
+    - name: Entra authentication prompts when running kubectl
+      href: entra-prompts.md
     - name: BGP with FRR not working
       href: connectivity-troubleshoot.md
   - name: Reference
diff --git a/AKS-Arc/entra-prompts.md b/AKS-Arc/entra-prompts.md
@@ -0,0 +1,38 @@
+---
+title: Entra authentication prompts when running kubectl with Kubernetes RBAC
+description: Learn how to troubleshoot Entra authentication issues when using kubectl with Kubernetes RBAC.
+author: sethmanheim
+ms.author: sethm
+ms.topic: troubleshooting
+ms.date: 06/24/2025
+ms.reviewer: leslielin
+ms.lastreviewed: 06/24/2025
+
+---
+
+# Repeated Entra authentication prompts when running kubectl with Kubernetes RBAC
+
+This article helps you diagnose and resolve issues related to repeated Entra authentication prompts when using **kubectl** with Kubernetes RBAC on AKS enabled by Azure Arc.
+
+## Symptoms
+
+When you use **kubectl** with [Microsoft Entra authentication and Kubernetes RBAC](kubernetes-rbac-local.md) in AKS on Azure Local, Entra authentication prompts appear after each command execution.
+
+## Possible causes
+
+This issue is caused by [a GitHub bug](https://github.com/Azure/kubelogin/issues/654) introduced in **kubelogin** version 0.2.0 and later.
+
+## Mitigation
+
+To mitigate this issue, you can use one of the following two methods:
+
+- Downgrade **kubelogin** to version 1.9.0. This stable version does not have the bug that causes repeated authentication prompts. You can [download this version from the GitHub repository](https://github.com/int128/kubelogin/releases/tag/v1.9.0). Select the appropriate asset for your OS or architecture, extract it, and replace your existing **kubelogin** binary.
+- Alternatively, if you have administrator permissions, you can use the `--admin` flag with the `az aksarc get-credentials` command. This method bypasses **kubelogin** authentication by retrieving admin credentials directly:
+
+  ```azurecli
+  az aksarc get-credentials -g $resource_group_name -n $aks_cluster_name --file <file-name> --admin
+  ```
+
+## Next steps
+
+[Troubleshoot issues in AKS enabled by Azure Arc](aks-troubleshoot.md)
diff --git a/AKS-Arc/kubernetes-rbac-local.md b/AKS-Arc/kubernetes-rbac-local.md
@@ -3,12 +3,12 @@ title: Control access using Microsoft Entra ID and Kubernetes RBAC in AKS enable
 description: Learn how to use Microsoft Entra group membership to restrict access to cluster resources using Kubernetes role-based access control (Kubernetes RBAC) in AKS Arc.
 author: sethmanheim
 ms.author: sethm 
-ms.lastreviewed: 07/26/2024
+ms.lastreviewed: 06/17/2025
 ms.reviewer: abha
 ms.topic: how-to
 ms.custom:
   - devx-track-azurecli
-ms.date: 07/26/2024
+ms.date: 06/17/2025
 
 # Intent: As an IT Pro, I need to learn how to enable Kubernetes role-based access control so that I can manage access to resources.
 # Keyword: Kubernetes role-based access control 
@@ -34,6 +34,9 @@ Before you set up Kubernetes RBAC using Microsoft Entra ID, you must have the fo
   - To access the Kubernetes cluster directly using the `az aksarc get-credentials` command, you need the **Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action**, which is included in the **Azure Kubernetes Service Arc Cluster User** role permissions
   - To access the Kubernetes cluster from anywhere with a proxy mode using `az connectedk8s proxy` command, you need the **Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action**, which is included in **Azure Arc-enabled Kubernetes Cluster User** role permission. Meanwhile, you need to verify that the agents and the machine performing the onboarding process meet the network requirements in [Azure Arc-enabled Kubernetes network requirements](/azure/azure-arc/kubernetes/network-requirements?tabs=azure-cloud#details).
 
+> [!NOTE]
+> When you use **kubelogin version 1.9.0** with Microsoft Entra authentication and Kubernetes RBAC in AKS on Azure Local, you might encounter Entra authentication prompts for each command you run. For a solution to this known issue, see [Repeated Entra authentication prompts when running kubectl with Kubernetes RBAC](entra-prompts.md).
+
 ## Optional first steps
 
 If you don't already have a Microsoft Entra group that contains members, you might want to create a group and add some members, so that you can follow the instructions in this article.
