Add External Identity Providers support in AKS

[miwithro]

Allow external identity providers to be used for authentication to AKS clusters. This feature takes a dependency on structured authentication feature upstream (https://kubernetes.io/blog/2024/04/25/structured-authentication-moves-to-beta/).

[mjsabby]

What is the ETA for this in a public AKS release? I'm assuming this feature is required to implement equivalent functionality that we had with aad pod identity?

[miwithro]

Workload Identity is using OIDC Issuer which we have already published. This is adding additional OIDC Federation capabilities. We don't have an ETA yet, as we are still doing planning.

[ghost]

@Azure/aks-pm issue needs labels

[CocoWang-wql]

The OIDC federation feature would be named "External Identity Providers" in AKS cluster.

[ghost]

@Azure/aks-pm issue needs labels

[NeelavaChatterjee]

Will this feature be available within 3 or 6 months?

[CocoWang-wql]

This feature is in plan and checking internally about the ETA. Will update soon.

[CocoWang-wql]

The tentative date for public preview is Oct.

[ghost]

Action required from @Azure/aks-pm

[ghost]

Action required from @Azure/aks-pm

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service]

Action required from @Azure/aks-pm

[CocoWang-wql]

We start the design. And we will share the progress here.

[maheshrajrp]

another month passed guys, any updates ?

[sspreitzer]

I just returned from a physical meeting at Microsoft in Zurich, Switzerland with Brian Redmond (@chzbrgr71). He is one of the product managers for AKS. We discussed this issue and Brian assured me that holding Microsoft accountable for implementing this feature is good and Microsoft will take a closer look on this topic, and will definitely follow-up.

I just wanted this community to know and document today's event.

[palakchheda]

hi, any progress/update on this? Seems like upstream kubernetes now support multiple OIDC identity provider configurations.

[harjain99]

Hi! Just checking in here to see if there any updates on this issue.

[qudongfang]

Any updates?

[qudongfang]

Currently planned for AKS 1.30 Enable OIDC Federation support to enable multi-cloud or alternative identity solutions in AKS.

AKS 1.30 was released in July 2024, and this feature is still in the backlog https://github.com/orgs/Azure/projects/685/views/1

https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-kubernetes-release-calendar

[palakchheda]

Is there an ETA or any workaround on this?

[shashankbarsin]

This feature has a dependency on an upstream feature - structured authentication, which is in beta status from 1.30 k8s upstream (not AKS). We are currently working on the AKS integration for the above and have a tentative ETA of June 2025 for public preview

[sspreitzer]

@shashankbarsin as good as it sounds, there is still fear, uncertainty and doubt on the user and community side.

I don't think that you are trying to implement an open interoperable interface such as the authentication configuration but merely politicaly being forced to technicaly implement a "Microsoft Entra ID"-only vendor lock-in.

Why do I think so? Because this feature is too easy to implement and Microsoft has not implemented it for years.

If you want to do something to build trust with your user base and the community, just implement this feature asap and stop waiting.

[nweisenauer-sap]

We would also love to see this happen.