Athenz OIDC Authentication Provider Support for AWS EKS¶
AWS EKS can be configured to use Athenz as OIDC Authentication Provider to authorize access to configured EKS clusters.
Athenz Configuration¶
OIDC Spec requires that each client is uniquely identified within the OIDC Provider
and has a redirect URI configuration property set. In the context of Athenz, the
EKS cluster administrator first must create a unique service (e.g. athenz.prod.eks
:
service called eks
in the domain athenz.prod
)
Once the service is created, it must be registered with its redirect URI.
$ zms-cli -d <domain-name> set-service-endpoint <service-name> <redirect-uri>
AWS EKS Cluster Configuration¶
In the AWS Console, select EKS service, then choose your cluster from the list.
In the cluster view, select the Configuratiion
tab and then the Authentication
tab. Choose the Associate Identity Provider
button. In the dialog box specify
the following values (leave others blank):
- Identity Provider Name: athenz
- Issuer URL:
<athenz-zts-endpoint-uri> e.g. https://zts.athenz.io:8443/zts/v1
- Client ID:
<athenz-service-name> e.g. athenz.prod.eks
- Groups claim: groups
- Username prefix: athenz
- Groups prefix: athenz
AWS EKS Cluster Role Binding¶
Next we need to set up and bind a role with subjects authenticated by
the Athenz OIDC Provider. In this example, we'll use the cluster-admin
role and allow any user in the athenz.prod
domain eks-cluster-admins
role to assume the capabilities authorized by the cluster-admin
role.
Create the following yaml called cluster-group.yaml
. It binds an ID token
from Athenz provider having the groups claim of eks-cluster-admins
to be
authorized as cluster admins in EKS.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: oidc-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: Group
name: athenz:eks-cluster-admins
Use kubectl
to apply it to your cluster.
$ kubectl apply -f cluster-group.yaml
clusterrolebinding.rbac.authorization.k8s.io/oidc-cluster-admin created
Checkout the Kubernetes Guide for full details on Role/RoleBinding and ClusterRole/ClusterRoleBinding authorization support in your cluster.
Athenz Role Configuration¶
Make sure your Athenz domain associated with your ClientID identified service has the role referenced in the above configuration and the users who should be authorized as cluster administrators are members in that role.
Based on our example above:
$ zms-cli -o yaml -d athenz.prod show-role eks-cluster-admins
name: athenz.prod:role.eks-cluster-admins
modified: "2022-01-21T22:17:59.291Z"
rolemembers:
- membername: user.john
active: true
approved: true
OIDC ID Token Support¶
Install the zts-idtoken
utility to obtain OIDC ID Tokens from AWS
ZTS instance and request an ID token from ZTS. The returned value from the zts-idtoken
utility is the id token that we need to submit to AWS EKS. The utility assumes you are
using X.509 key/cert to authenticate to the ZTS Server. The issued ID tokens are valid
for 1 hour only.
$ zts-idtoken -zts <athenz-zts-endpoint-uri> -svc-key-file <service-key> -svc-cert-file <service-cert> -client-id athenz.prod.eks -nonce as324sdfa3 -scope "openid roles" -redirect-uri <redirect-uri>
eyJraWQiOiJ6dHMuZWMudXM.....td2VzdC0yLjAiLCJhbGciOi
We can now use the id token as the value of the --token argument for kubectl
to manage
our AWS EKS cluster:
$ kubectl --token=eyJraWQiOiJ6dHMuZWMudXM.....td2VzdC0yLjAiLCJhbGciOi get pods -n sia
NAME READY STATUS RESTARTS AGE
sia-agent-cfl4n 1/1 Running 0 35d
sia-agent-dwbhn 1/1 Running 0 35d