Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4221

RFE - Support log in to OCP nodes with Azure AD

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • Auth, Node, RHEL CoreOS
    • None
    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%

      What are you experiencing? What are you expecting to happen?
      We would like to be able to ssh into OpenShift nodes using Azure AD authentication.
       
      We run OCP platforms on VM on Azure, that we install using the IPI installer.
       
      After the installation, it is possible to log in to the OpenShift nodes through ssh, as a public key is installed for the core user. This allows users knowing the private key, to log in as a local user, and we want to avoid that for security reasons, although we only allow that from a bastion.
       
      We try to privilege "oc debug node" commands to log onto nodes, but there are circumstances where we need to ssh to the node nevertheless, when oc debug does not work and we have to troubleshoot and repair:
      • kubernetes API having issue, crio having issues, etc.
      • having an extraordinary load average on the node which prevent most operations
      • the node hits the limit of pods it can scheduled and there is no room for extra pod
         
        We are investigating whether we can use the "aadsshlogin" [1] mechanism provided by Azure.
        aadsshlogin works already on RHEL9.2, with the following assumptions:
      • packages aadsshlogin and aadsshlogin-selinux from [2] are installed
      • their dependencies (nss, nspr) from RHEL repos are installed as well
      • a "aad_admins" group is kept under /etc/group after reboot
      • VM has identity type SystemAssigned
        the Microsoft RPMs hack the /etc/nsswitch.conf to add the "aad" authentication method and also add an "AuthorizedKeysCommand /usr/sbin/aad_certhandler..." in the sshd_config. the selinux package ensures (a guess) that the sshd_t context can fetch data from metadata services and create users.
         
        With that in mind, I verified it is indeed possible today to make this mechanism work by layering the nss, nspr, aadsshlogin, aadsshlogin-selinux rpms on to of RHCOS, then making sure the aad_admins is in /etc/group after reboot, and that the VM identity is SystemAssigned, and it does technically work.
         
        Is it possible to provide this mechanism out of the box, so that we can just ssh onto the nodes using the aad authentication method?
         
        Thank you
         
        [1]: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux
        [2]: https://packages.microsoft.com/rhel/9/prod/Packages/a/
         
        Define the value or impact to you or the business
        exploring security improvements

            rhn-support-mrussell Mark Russell
            rhn-support-vmedina1 Victor Medina
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: