Scenario 4: KAS Authentication Configuration

Objective: Verify the kube-apiserver (KAS) is configured with a JWT authenticator matching the Azure AD OIDC provider, and that the OAuth webhook authenticator is NOT used.

Code path: control-plane-operator/controllers/hostedcontrolplane/v2/kas/auth.go — generates AuthenticationConfiguration with JWT authenticator from oidcProviders

Overall Scenario 4: PASS — All 4 checks verified.

Step	Check	Result	Evidence
1	`auth-config` ConfigMap contains JWT authenticator	PASS	JWT issuer URL: `https://login.microsoftonline.com/520cf09d-...73b09/v2.0`
2	JWT audiences match Azure AD app ID	PASS	Audience: `d638131c-...dbc1`
3	KAS uses `--authentication-config` (not webhook)	PASS	`authentication-config: ["/etc/kubernetes/auth/auth.json"]`; no `authentication-token-webhook-config-file`
4	OIDC feature gates enabled	PASS	`ExternalOIDC=true`, `ExternalOIDCWithUIDAndExtraClaimMappings=true`, `StructuredAuthenticationConfiguration=true`

Commands & Outputs

Step 1 & 2: Inspect auth-config ConfigMap (JWT authenticator)

$ KUBECONFIG=/Users/brcox/aws_dev_kubeconfig oc get cm auth-config \
    -n clusters-brcox-sm-dev-hc -o jsonpath='{.data.auth\.json}' | jq .

{
  "kind": "AuthenticationConfiguration",
  "apiVersion": "apiserver.config.k8s.io/v1alpha1",
  "jwt": [
    {
      "issuer": {
        "url": "https://login.microsoftonline.com/520cf09d-...73b09/v2.0",
        "audiences": [
          "d638131c-...dbc1"
        ],
        "audienceMatchPolicy": "MatchAny"
      },
      "claimMappings": {
        "username": {
          "claim": "preferred_username",
          "prefix": ""
        },
        "groups": {
          "claim": "groups",
          "prefix": "aad:"
        },
        "uid": {
          "claim": "oid"
        }
      }
    }
  ]
}

Step 3 & 4: Inspect KAS config for authentication-config arg and feature gates

$ KUBECONFIG=/Users/brcox/aws_dev_kubeconfig oc get cm kas-config \
    -n clusters-brcox-sm-dev-hc \
    -o jsonpath='{.data.config\.json}' | jq '.apiServerArguments["authentication-config"]'

[
  "/etc/kubernetes/auth/auth.json"
]

# No authentication-token-webhook-config-file present (OAuth webhook NOT used)

# Relevant feature gates from apiServerArguments.feature-gates:
#   ExternalOIDC=true
#   ExternalOIDCWithUIDAndExtraClaimMappings=true
#   StructuredAuthenticationConfiguration=true

Key observations:

The AuthenticationConfiguration uses apiserver.config.k8s.io/v1alpha1 with a JWT authenticator array
Claim mappings match the HostedCluster OIDC config: preferred_username → username (no prefix), groups → groups (aad: prefix), oid → UID
The ExternalOIDCWithUpstreamParity gate is false (tech-preview only), which is expected for GA

← Scenario 3 Scenario 5 →