kubelogin may not work with MSI when run in Azure Container Instance

[weinong]

Problem

Although kubelogin addresses kubernetes/kubernetes#86410 to remove spn: prefix in audience claim, you may encounter the same issue while using kubelogin with Managed Service Identity (MSI) in Azure Container Instance (ACI).

For example

az login --identity --username ${MSI_CLIENT_ID}
kubelogin convert-kubeconfig -l azurecli
kubectl get pods
error: You must be logged in to the server (Unauthorized)

## If `guard` log is enabled in AKS control plane, you will see
## failed to verify token for azure: oidc: expected audience "6dae42f8-4368-4678-94ff-3960e28e3630" got ["spn:6dae42f8-4368-4678-94ff-3960e28e3630"]

The issue is in ACI where they have different infrastrucutres such that the returned MSI token on legacy one will include spn: prefix in audience claim. You can verify by examining the AAD token by kubelogin get-token --server-id 6dae42f8-4368-4678-94ff-3960e28e3630 --client-id ${MSI_CLIENT_ID} --login msi and paste the access token to https://jwt.ms and look at the audience claim. If it has spn:, your ACI is running on the legacy infrastructure.

Mitigation

Please open support request to ACI team to migrate your subscription

References

#30 #61

[djsly]

@weinong do you know if we still need to request a migration for our subs or this is now fixed for all subs ?