EKS Anywhere., validating KeyCloak OIDC SSO access to clusters for kubectl
This article is part of the series EKS Anywhere, extending the Hybrid cloud momentum | by Ambar Hassani | Apr, 2022 | Medium
In the previous two related articles, we have already setup the KeyCloak server and also configured our EKS Anywhere cluster for OIDC access.
In this article, we will observe how to access the OIDC enabled cluster via kubectl. While there are many plugins/methods available to do so., it largely depends on whether you prefer a browser based or a browserless authentication method to access the cluster. We will document the latter (browserless) method as it greatly simplifies the challenges one would face in case of logins via jump hosts or where browser-based authentications are not feasible.
We can test the below procedure right from the EKS Anywhere Administrative machine as it already has kubectl installed. Alternatively, in this specific example, I will assume a developer machine with WSL2 Ubuntu installed with kubectl.
The main goal is to create the kubectl contexts for various users and validate access levels. Recall our RBAC arrangement (oidc user/groups, k8s rbac role mappings) via the previous two articles
- user-admin | kube-admin |cluster-admin role
- user-dev | kube-dev | edit role
- user-view-only | kube-view-only | view role
Let’s begin by performing the below procedure on any Linux machine which has kubectl installed.
- Create a new file named create-oidc-contexts.sh under $HOME and make it executable
- Copy and paste the contents of the below given raw gist to the above created file
https://gist.github.com/thecloudgarage/fdf0cdc89a49ed0fcf75c19b69e5eb8e
Repeat the below script for each of the OIDC user & cluster pairs. In this case, since we have only one cluster and 3 users, a total of 3 contexts needs to be created, i.e., the below script needs to be run thrice with each of the OIDC usernames. Repeat the script for additional clusters & user pairs.
source $HOME/create-oidc-contexts.sh
The script will prompt you for the below parameters on a per context basis. I have provided my setup's parameters. Yours could be different depending on what you have set the values in the previous two exercises (KeyCloak server setup and OIDC enablement on EKS Anywhere cluster)
* oidcClusterName: oidctestcluster01
* fqdnOfKeyCloakServer: keycloak.thecloudgarage.com
* oidcClientId: kube (yours will be the same)
* oidcClientSecret: kube-client-secret (yours will be the same)
* oidcUsername: user-admin or user-dev or user-view-only
* oidcPassword: user-admin or user-dev or user-view-only
* apiServerEndpoint: 172.24.165.11 (yours will be different)
Let’s observe the actual execution of this script in my machine as I intend to access the EKS Anywhere cluster named testwk01 which is configured for KeyCloak SSO OIDC
NOTE:
- The client secret for all contexts will be kube-client-secret
- The password for OIDC users is same as the username
Let’s create the context for user-admin and oidctestcluster01 cluster
source create-oidc-contexts.sh
Input OIDC enabled cluster name for kubectl context
oidClusterName: oidctestcluster01
Input your OIDC servers FQDN
fqdnOfKeyCloakServer: keycloak.thecloudgarage.com
Input your OIDC client id
oidcClientId: kube
Input your OIDC Secret
oidcClientSecret:
Input your OIDC Username
oidcUsername: user-admin
Input your OIDC Password
oidcPassword:
Provide the API server endpoint in the format https://172.24.165.11:6443
Ensure that https and port number 6443 is mentioned as specififed in the above format
Only in cases e.g. eks public clusters, you can omit the port number as it provides a load-balancer URL
apiServerEndpoint: https://172.24.165.11:6443
Cluster "oidctestcluster01" set.
depth=0 C = IN, ST = MH, L = Mumbai, O = stack, OU = devops, CN = keycloak.thecloudgarage.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = IN, ST = MH, L = Mumbai, O = stack, OU = devops, CN = keycloak.thecloudgarage.com
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3816 100 3673 100 143 29861 1162 --:--:-- --:--:-- --:--:-- 31024
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3816 100 3673 100 143 31127 1211 --:--:-- --:--:-- --:--:-- 32338
deleted user user-admin from /home/ubuntu/.kube/config
warning: this removed your active context, use "kubectl config use-context" to select a different one
deleted context user-admin-oidctestcluster01 from /home/ubuntu/.kube/config
Property "current-context" unset.
User "user-admin" set.
Context "user-admin-oidctestcluster01" created.
Switched to context "user-admin-oidctestcluster01".
Let’s create the context for user-dev and oidctestcluster01 cluster
source create-oidc-contexts.sh
Input OIDC enabled cluster name for kubectl context
oidClusterName: oidctestcluster01
Input your OIDC servers FQDN
fqdnOfKeyCloakServer: keycloak.thecloudgarage.com
Input your OIDC client id
oidcClientId: kube
Input your OIDC Secret
oidcClientSecret:
Input your OIDC Username
oidcUsername: user-dev
Input your OIDC Password
oidcPassword:
Provide the API server endpoint in the format https://172.24.165.11:6443
Ensure that https and port number 6443 is mentioned as specififed in the above format
Only in cases e.g. eks public clusters, you can omit the port number as it provides a load-balancer URL
apiServerEndpoint: https://172.24.165.12:6443
Cluster "oidctestcluster01" set.
depth=0 C = IN, ST = MH, L = Mumbai, O = stack, OU = devops, CN = keycloak.thecloudgarage.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = IN, ST = MH, L = Mumbai, O = stack, OU = devops, CN = keycloak.thecloudgarage.com
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3774 100 3635 100 139 28849 1103 --:--:-- --:--:-- --:--:-- 29952
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3774 100 3635 100 139 29795 1139 --:--:-- --:--:-- --:--:-- 30934
deleted user user-dev from /home/ubuntu/.kube/config
deleted context user-dev-oidctestcluster01 from /home/ubuntu/.kube/config
Property "current-context" unset.
User "user-dev" set.
Context "user-dev-oidctestcluster01" created.
Switched to context "user-dev-oidctestcluster01".
And lastly for user-view-only and cluster oidctestcluster01
source create-oidc-contexts.sh
Input OIDC enabled cluster name for kubectl context
oidClusterName: oidctestcluster01
Input your OIDC servers FQDN
fqdnOfKeyCloakServer: keycloak.thecloudgarage.com
Input your OIDC client id
oidcClientId: kube
Input your OIDC Secret
oidcClientSecret:
Input your OIDC Username
oidcUsername: user-view-only
Input your OIDC Password
oidcPassword:
Provide the API server endpoint in the format https://172.24.165.11:6443
Ensure that https and port number 6443 is mentioned as specififed in the above format
Only in cases e.g. eks public clusters, you can omit the port number as it provides a load-balancer URL
apiServerEndpoint: https://172.24.165.12:6443
Cluster "oidctestcluster01" set.
depth=0 C = IN, ST = MH, L = Mumbai, O = stack, OU = devops, CN = keycloak.thecloudgarage.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = IN, ST = MH, L = Mumbai, O = stack, OU = devops, CN = keycloak.thecloudgarage.com
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3898 100 3747 100 151 31487 1268 --:--:-- --:--:-- --:--:-- 32756
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3898 100 3747 100 151 31225 1258 --:--:-- --:--:-- --:--:-- 32483
deleted user user-view-only from /home/ubuntu/.kube/config
deleted context user-view-only-oidctestcluster01 from /home/ubuntu/.kube/config
Property "current-context" unset.
User "user-view-only" set.
Context "user-view-only-oidctestcluster01" created.
Switched to context "user-view-only-oidctestcluster01".
Now that all the three contexts are set., we can verify them in our kube config file
KUBECONFIG=$HOME/.kube/config
kubectl config get-contexts
KUBECONFIG=$HOME/.kube/config
kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
user-admin-oidctestcluster01 oidctestcluster01 user-admin
user-dev-oidctestcluster01 oidctestcluster01 user-dev
* user-view-only-oidctestcluster01 oidctestcluster01 user-view-only
Let’s start validating the access levels by switching the contexts
Let’s begin by switching context to user-admin that has a cluster role of cluster-admin. We can see that this context can create namespaces and retrieve node information
kubectl config use-context user-admin-oidctestcluster01
Switched to context "user-admin-oidctestcluster01".
kubectl create namespace testone
namespace/testone created
kubectl get nodes
NAME STATUS ROLES AGE VERSION
oidctestcluster01-ftqg7 Ready control-plane,master 18h v1.21.13-eks-b88cc51
oidctestcluster01-kv7q6 Ready control-plane,master 18h v1.21.13-eks-b88cc51
oidctestcluster01-md-0-7595c49d8d-5vc59 Ready <none> 18h v1.21.13-eks-b88cc51
oidctestcluster01-md-0-7595c49d8d-6khmx Ready <none> 18h v1.21.13-eks-b88cc51
Next let’s switch the context to user-dev which has a cluster role of edit. As you can see that this role restricts the permissions model to certain actions as implicitly defined in the default “edit” role
kubectl config use-context user-dev-oidctestcluster01
Switched to context "user-dev-oidctestcluster01".
kubectl get namespace
NAME STATUS AGE
default Active 18h
kube-node-lease Active 18h
kube-public Active 18h
kube-system Active 18h
testone Active 3m27s
kubectl create namespace testtwo
Error from server (Forbidden): namespaces is forbidden: User "user-dev@emaildomainname" cannot create resource "namespaces" in API group "" at the cluster scope
kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "user-dev@emaildomainname" cannot list resource "nodes" in API group "" at the cluster scope
kubectl get pods
No resources found in default namespace.
Lastly, let’s switch the context to user-dev. Likewise, as per the permissions implicit to the default “view” cluster role, the user can only perform certain restricted actions
kubectl config use-context user-view-only-oidctestcluster01
Switched to context "user-view-only-oidctestcluster01".
kubectl get namespace
NAME STATUS AGE
default Active 18h
kube-node-lease Active 18h
kube-public Active 18h
kube-system Active 18h
testone Active 6m25s
kubectl get pods
No resources found in default namespace.
kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "user-view-only@emaildomainname" cannot list resource "nodes" in API group "" at the cluster scope
That’s it! Hopefully, you would have understood the interaction model between EKS Anywhere clusters & KeyCloak SSO OIDC., and how you can effectively create organization wide policy derivatives to secure Kubernetes access
cheers
Ambar@thecloudgarage
#iwork4dell