Support using the Entra SDK sidecar container to validate Azure access tokens#447
Open
AzureMarker wants to merge 25 commits into
Open
Support using the Entra SDK sidecar container to validate Azure access tokens#447AzureMarker wants to merge 25 commits into
AzureMarker wants to merge 25 commits into
Conversation
added 12 commits
April 20, 2026 17:22
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
The cluster role and role binding were removed but E2E was not updated: kubeguard#369 Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
AzureMarker
force-pushed
the
markdrobnak/entra-sdk-support
branch
from
7664882 to
c1ee28a
Compare
added 6 commits
April 20, 2026 17:33
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
AzureMarker
changed the title
added 4 commits
April 21, 2026 16:42
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
weinong
reviewed
May 6, 2026
| }, | ||
| }, | ||
| InitialDelaySeconds: int32(30), | ||
| InitialDelaySeconds: 1, |
Contributor
There was a problem hiding this comment.
this change will be a behavior change. though, it's unclear who's really using the installer. but is it really necessary?
Contributor
Author
There was a problem hiding this comment.
It's not necessary, but a 30 second wait is unnecessary and slows down the tests a lot.
Contributor
|
generally LGTM. I pinged few people from AKS to review as well. We can aim to merge it later this week if they don't have other feedback. |
norshtein
reviewed
May 7, 2026
|
Seems the CI does not contain E2E, do we have an E2E test result for the new code? |
norshtein
reviewed
May 7, 2026
norshtein
reviewed
May 7, 2026
|
My comments are mainly about nit and those are non-blocking. The code's functionality LGTM. |
karataliu
reviewed
May 7, 2026
karataliu
reviewed
May 7, 2026
karataliu
reviewed
May 7, 2026
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Contributor
Author
@norshtein Yes, the E2E was successful when I ran it locally: There's an old PR to add the E2Es to PR checks: #232 |
norshtein
approved these changes
May 8, 2026
arxhive
reviewed
May 8, 2026
arxhive
reviewed
May 8, 2026
arxhive
reviewed
May 8, 2026
Signed-off-by: Mark Drobnak <markdronak@microsoft.com>
Contributor
|
Thank you for the updates, LGTM! |
arxhive
approved these changes
May 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NOTE: Most of the changed lines are due to vendoring some packages for the new E2E tests.
There are some systems using Guard that want to perform the Azure access token validation using the "official" dotnet implementation. This is where the Entra SDK container comes in:
https://learn.microsoft.com/en-us/entra/msidweb/agent-id-sdk/overview
https://mcr.microsoft.com/en-us/artifact/mar/entra-sdk/auth-sidecar/about
This PR adds support for using this container as a sidecar for Azure access token validation. It cannot fully validate PoP tokens, so it's only used for the inner access token validation in that scenario.
This feature is enabled only when the new
--azure.entra-sdk-urlflag is set in the Guard options, for example:The PR also fixes up the E2E tests and adds some that run through the full Azure token validation flow. This required some changes in the installer as well.
I added a local E2E testing script that automates the work of building the container image locally, loading it into the kind cluster, and running the E2E with that container image. There is a readme at
test/e2e/README.mdthat explains how to use the script.Closes #448