EKS Webhook Token Authentication: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
(8 intermediate revisions by the same user not shown)
Line 4: Line 4:
=Internal=
=Internal=
* [[Kubernetes_Security_Concepts#EKS_Webhook_Token_Authentication|Kubernetes Security Concepts]]
* [[Kubernetes_Security_Concepts#EKS_Webhook_Token_Authentication|Kubernetes Security Concepts]]
* [[Amazon_EKS_Concepts#Webhook_Token_Authentication|EKS Concepts]]
=Overview=
=Overview=


EKS has native support for [[Kubernetes_Security_Concepts#Webhook_Token_Authentication|webhook token authentication]].
EKS has native support for [[Kubernetes_Security_Concepts#Bearer_Tokens|bearer tokens]] and [[Kubernetes_Security_Concepts#Webhook_Token_Authentication|webhook token authentication]]. The bearer token is the only piece of information that carries the identity of the caller to the Kubernetes server. It consists of a pre-signed URL that includes an Amazon credential and signature.
 
For more details:
{{External|https://aws.github.io/aws-eks-best-practices/iam/#controlling-access-to-eks-clusters}}
{{External|https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html}}
 
=Generate a Token=
 
For the current IAM User, associated with the current AWS_PROFILE:
 
<syntaxhighlight lang='bash'>
aws eks get-token --cluster <cluster-name>
</syntaxhighlight>
 
For an arbitrary IAM role:
 
<syntaxhighlight lang='bash'>
aws eks get-token --cluster <cluster-name> --role <role-arn>
</syntaxhighlight>
 
=Mapping the IAM Identity back to Kubernetes Identity=
{{Internal|Amazon_EKS_Operations#Allowing_Additional_Users_to_Access_the_Cluster|Allowing Additional Users to Access the Cluster}}

Latest revision as of 01:28, 2 October 2020

External

Internal

Overview

EKS has native support for bearer tokens and webhook token authentication. The bearer token is the only piece of information that carries the identity of the caller to the Kubernetes server. It consists of a pre-signed URL that includes an Amazon credential and signature.

For more details:

https://aws.github.io/aws-eks-best-practices/iam/#controlling-access-to-eks-clusters
https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html

Generate a Token

For the current IAM User, associated with the current AWS_PROFILE: 

aws eks get-token --cluster <cluster-name>

For an arbitrary IAM role: 

aws eks get-token --cluster <cluster-name> --role <role-arn>

Mapping the IAM Identity back to Kubernetes Identity

Allowing Additional Users to Access the Cluster
Retrieved from "https://kb.novaordis.com/index.php?title=EKS_Webhook_Token_Authentication&oldid=70189"