Open in app

Sign in

Write

Sign in

EKS Anywhere, SSO with KeyCloak OIDC

Ambar Hassani
3 min readMay 4, 2022

This article is a part of the multi-part story of EKS Anywhere. Access it here EKS Anywhere, extending the Hybrid cloud momentum | by Ambar Hassani | Apr, 2022 | Medium

Motivation for this article. There is no complete example of EKS Anywhere with OIDC authentication beyond one snippet in the official documentation.

In addition, most of the internet examples for OIDC assume that either

  • The KeyCloak OIDC server certificate is signed by an external well known Certificate Authority OR.,
  • You are using the typical method of cert-manager plus LetsEncrypt., in which case your KeyCloak server needs to be accessible from the internet (due to certificate validation methods used by LetsEncrypt)

In my case, the KeyCloak server is a private entity and is not exposed to the Internet. In addition, I will be using a self-signed certificate as the KeyCloak server is internal and accessible via private IP. Therefore, I had to resort to a method that works with these constraints in place.

What are we going to achieve?

EKS Anywhere and KeyCloak SSO workflow model
  • In this example, we will configure KeyCloak as an OIDC provider for all the EKS Anywhere clusters (management and workload).
  • The KeyCloak server will be running as a docker container on our EKS Administrative machine itself. In addition to being an OIDC provider for our EKS Anywhere clusters, the KeyCloak server will also be leveraged for OIDC based SSO towards other use cases (GitLab, Portainer, ArgoCD, Kubeapps, etc.)
  • Next, we will setup the RBAC on the EKS Anywhere clusters to map the OIDC groups for respective permissions. The Kubernetes and KeyCloak RBAC mappings are seen in the above flow diagram
  • Lastly, we will simulate the OIDC user access via browserless contexts
  • user-admin has a cluster-wide admin role and can define namespaces, etc.
  • user-dev cluster-wide edit role and as an example cannot define namespaces, however can create deployments, etc.
  • user-view-only cannot create any resource and cannot view nodes, etc., however can view the other resources as per the standard role of “edit”

Prerequisites

Your EKS Anywhere Administrative machine is setup. Ensure that the procedure from the main article EKS Anywhere., Building the Administrative machine | by Ambar Hassani | Apr, 2022 | Medium has been completed

IMPORTANT NOTE:

  • Do not switch the ubuntu user to root on EKSA Administrative machine while performing the below procedures. Terraform and Homebrew are installed via ubuntu Linux user. If you switch to root, it will cause permission issues.

What to do next? In summary you can just execute the steps in each of the below linked articles in a sequential manner

EKS Anywhere., Creating a simple KeyCloak server for various use-cases | by Ambar Hassani | Jul, 2022 | Medium

EKS Anywhere., enabling KeyCloak OIDC SSO configuration on the clusters | by Ambar Hassani | Jul, 2022 | Medium

EKS Anywhere., validating KeyCloak OIDC SSO access to clusters for kubectl | by Ambar Hassani | Jul, 2022 | Medium

Although a long read split in to three separate articles., hopefully you will be able to comprehend the details and can leverage the same in your own setup.

cheers

Ambar@thecloudgarage

#iwork4dell

AWS
Aws Eks
Dellemc
Kubernetes
Oidc

--

--

Ambar Hassani

Written by Ambar Hassani

74 Followers

24+ years of blended experience of technology & people leadership, startup management and disruptive acceleration/adoption of next-gen technologies

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams