You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Entra authentication prompts when running kubectl with Kubernetes RBAC
3
+
description: Learn how to troubleshoot Entra authentication issues when using kubectl with Kubernetes RBAC.
4
+
author: sethmanheim
5
+
ms.author: sethm
6
+
ms.topic: troubleshooting
7
+
ms.date: 06/24/2025
8
+
ms.reviewer: leslielin
9
+
ms.lastreviewed: 06/24/2025
10
+
11
+
---
12
+
13
+
# Repeated Entra authentication prompts when running kubectl with Kubernetes RBAC
14
+
15
+
This article helps you diagnose and resolve issues related to repeated Entra authentication prompts when using **kubectl** with Kubernetes RBAC on AKS enabled by Azure Arc.
16
+
17
+
## Symptoms
18
+
19
+
When you use **kubectl** with [Microsoft Entra authentication and Kubernetes RBAC](kubernetes-rbac-local.md) in AKS on Azure Local, Entra authentication prompts appear after each command execution.
20
+
21
+
## Possible causes
22
+
23
+
This issue is caused by [a GitHub bug](https://github.com/Azure/kubelogin/issues/654) introduced in **kubelogin** version 0.2.0 and later.
24
+
25
+
## Mitigation
26
+
27
+
To mitigate this issue, you can use one of the following two methods:
28
+
29
+
- Downgrade **kubelogin** to version 1.9.0. This stable version does not have the bug that causes repeated authentication prompts. You can [download this version from the GitHub repository](https://github.com/int128/kubelogin/releases/tag/v1.9.0). Select the appropriate asset for your OS or architecture, extract it, and replace your existing **kubelogin** binary.
30
+
- Alternatively, if you have administrator permissions, you can use the `--admin` flag with the `az aksarc get-credentials` command. This method bypasses **kubelogin** authentication by retrieving admin credentials directly:
31
+
32
+
```azurecli
33
+
az aksarc get-credentials -g $resource_group_name -n $aks_cluster_name --file <file-name> --admin
34
+
```
35
+
36
+
## Next steps
37
+
38
+
[Troubleshoot issues in AKS enabled by Azure Arc](aks-troubleshoot.md)
Copy file name to clipboardExpand all lines: AKS-Arc/kubernetes-rbac-local.md
+5-2Lines changed: 5 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,12 +3,12 @@ title: Control access using Microsoft Entra ID and Kubernetes RBAC in AKS enable
3
3
description: Learn how to use Microsoft Entra group membership to restrict access to cluster resources using Kubernetes role-based access control (Kubernetes RBAC) in AKS Arc.
4
4
author: sethmanheim
5
5
ms.author: sethm
6
-
ms.lastreviewed: 07/26/2024
6
+
ms.lastreviewed: 06/17/2025
7
7
ms.reviewer: abha
8
8
ms.topic: how-to
9
9
ms.custom:
10
10
- devx-track-azurecli
11
-
ms.date: 07/26/2024
11
+
ms.date: 06/17/2025
12
12
13
13
# Intent: As an IT Pro, I need to learn how to enable Kubernetes role-based access control so that I can manage access to resources.
14
14
# Keyword: Kubernetes role-based access control
@@ -34,6 +34,9 @@ Before you set up Kubernetes RBAC using Microsoft Entra ID, you must have the fo
34
34
- To access the Kubernetes cluster directly using the `az aksarc get-credentials` command, you need the **Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action**, which is included in the **Azure Kubernetes Service Arc Cluster User** role permissions
35
35
- To access the Kubernetes cluster from anywhere with a proxy mode using `az connectedk8s proxy` command, you need the **Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action**, which is included in **Azure Arc-enabled Kubernetes Cluster User** role permission. Meanwhile, you need to verify that the agents and the machine performing the onboarding process meet the network requirements in [Azure Arc-enabled Kubernetes network requirements](/azure/azure-arc/kubernetes/network-requirements?tabs=azure-cloud#details).
36
36
37
+
> [!NOTE]
38
+
> When you use **kubelogin version 1.9.0** with Microsoft Entra authentication and Kubernetes RBAC in AKS on Azure Local, you might encounter Entra authentication prompts for each command you run. For a solution to this known issue, see [Repeated Entra authentication prompts when running kubectl with Kubernetes RBAC](entra-prompts.md).
39
+
37
40
## Optional first steps
38
41
39
42
If you don't already have a Microsoft Entra group that contains members, you might want to create a group and add some members, so that you can follow the instructions in this article.
|[5944 series](https://www.hpe.com/psnow/doc/4aa5-4495enw?jumpid=in_lit-psnow-red) <br>(10, 100 GbE)|Comware 7 version R6710 or later |✓|✓|✓|✓|
177
177
|[5945 series](https://www.hpe.com/psnow/doc/a00049249enw) <br>(10, 25, 100 GbE)|Comware 7 version R6710 or later |✓|✓|✓|✓|
178
178
> [!NOTE]
179
179
> Guest RDMA requires both Compute (Standard) and Storage.
|[SSE-C4632](https://www.supermicro.com/datasheet/datasheet_SSE-C4632.pdf) <br>(10, 25, 100 GbE)|Broadcom Advanced Enterprise SONiC OS 4.2.1 or later |✓|✓|✓|✓|
258
258
|[SSE-T8032](https://www.supermicro.com/datasheet/datasheet_SSE-T8032S.pdf) <br>(10, 25, 100, 400 GbE)|Broadcom Advanced Enterprise SONiC OS 4.2.1 or later |✓|✓|✓|✓|
259
259
> [!NOTE]
260
260
> Guest RDMA requires both Compute (Standard) and Storage.
@@ -277,9 +277,9 @@ This section lists industry standards that are mandatory for the specific roles
277
277
> Network adapters used for compute, storage, and management traffic require Ethernet. For more information, see [Host network requirements](host-network-requirements.md).
278
278
279
279
Here are the mandatory IEEE standards and specifications:
@@ -344,9 +344,9 @@ Ethernet switches used for Azure Local SDN compute traffic must support Border G
344
344
345
345
Ethernet switches used for Azure Local management traffic must support DHCP relay agent. The DHCP relay agent is any TCP/IP host which is used to forward requests and replies between the DHCP server and client when the server is present on a different network. It is required for PXE boot services. [RFC 3046: DHCPv4](https://www.rfc-editor.org/rfc/rfc3046) or [RFC 6148: DHCPv4](https://www.rfc-editor.org/rfc/rfc6148.html#:~:text=RFC%204388%20defines%20a%20mechanism%20for%20relay%20agents,starts%20receiving%20data%20to%20and%20from%20the%20clients.)
@@ -403,17 +403,13 @@ LLDP allows organizations to define and encode their own custom TLVs. These are
403
403
| IEEE 802.3 | Maximum Frame Size (Subtype = 4) |
404
404
405
405
### Maximum Transmission Unit
406
-
*New Requirement in 22H2*
407
406
408
407
The maximum transmission unit (MTU) is the largest size frame or packet that can be transmitted across a data link. A range of 1514 - 9174 is required for SDN encapsulation.
409
408
### Border Gateway Protocol
410
-
*New Requirement in 22H2*
411
409
412
410
Ethernet switches used for Azure Local SDN compute traffic must support Border Gateway Protocol (BGP). BGP is a standard routing protocol used to exchange routing and reachability information between two or more networks. Routes are automatically added to the route table of all subnets with BGP propagation enabled. This is required to enable tenant workloads with SDN and dynamic peering. [RFC 4271: Border Gateway Protocol 4](https://www.rfc-editor.org/rfc/rfc4271)
413
411
414
412
### DHCP Relay Agent
415
-
*New Requirement in 22H2*
416
-
417
413
418
414
Ethernet switches used for Azure Local management traffic must support DHCP relay agent. The DHCP relay agent is any TCP/IP host which is used to forward requests and replies between the DHCP server and client when the server is present on a different network. It is required for PXE boot services. [RFC 3046: DHCPv4](https://www.rfc-editor.org/rfc/rfc3046) or [RFC 6148: DHCPv4](https://www.rfc-editor.org/rfc/rfc6148.html#:~:text=RFC%204388%20defines%20a%20mechanism%20for%20relay%20agents,starts%20receiving%20data%20to%20and%20from%20the%20clients.)
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments