EKS Anywhere, SSO with KeyCloak OIDC
This article is a part of the multi-part story of EKS Anywhere. Access it here EKS Anywhere, extending the Hybrid cloud momentum | by Ambar Hassani | Apr, 2022 | Medium
Motivation for this article. There is no complete example of EKS Anywhere with OIDC authentication beyond one snippet in the official documentation.
In addition, most of the internet examples for OIDC assume that either
- The KeyCloak OIDC server certificate is signed by an external well known Certificate Authority OR.,
- You are using the typical method of cert-manager plus LetsEncrypt., in which case your KeyCloak server needs to be accessible from the internet (due to certificate validation methods used by LetsEncrypt)
In my case, the KeyCloak server is a private entity and is not exposed to the Internet. In addition, I will be using a self-signed certificate as the KeyCloak server is internal and accessible via private IP. Therefore, I had to resort to a method that works with these constraints in place.
What are we going to achieve?
- In this example, we will configure KeyCloak as an OIDC provider for all the EKS Anywhere clusters (management and workload).
- The KeyCloak server will be running as a docker container on our EKS Administrative machine itself. In addition to being an OIDC provider for our EKS Anywhere clusters, the KeyCloak server will also be leveraged for OIDC based SSO towards other use cases (GitLab, Portainer, ArgoCD, Kubeapps, etc.)
- Next, we will setup the RBAC on the EKS Anywhere clusters to map the OIDC groups for respective permissions. The Kubernetes and KeyCloak RBAC mappings are seen in the above flow diagram
- Lastly, we will simulate the OIDC user access via browserless contexts
- user-admin has a cluster-wide admin role and can define namespaces, etc.
- user-dev cluster-wide edit role and as an example cannot define namespaces, however can create deployments, etc.
- user-view-only cannot create any resource and cannot view nodes, etc., however can view the other resources as per the standard role of “edit”
Prerequisites
Your EKS Anywhere Administrative machine is setup. Ensure that the procedure from the main article EKS Anywhere., Building the Administrative machine | by Ambar Hassani | Apr, 2022 | Medium has been completed
IMPORTANT NOTE:
- Do not switch the ubuntu user to root on EKSA Administrative machine while performing the below procedures. Terraform and Homebrew are installed via ubuntu Linux user. If you switch to root, it will cause permission issues.
What to do next? In summary you can just execute the steps in each of the below linked articles in a sequential manner
Although a long read split in to three separate articles., hopefully you will be able to comprehend the details and can leverage the same in your own setup.
cheers
Ambar@thecloudgarage
#iwork4dell