From the description of the issue, I can see that you wish to set up IRSA (IAM Roles for Service Accounts) to allow ServiceAccount - IAM Role mapping such that you can apply fine-grained access controls for your self-managed Kubernetes cluster. Since your self-managed Kubernetes cluster is fully private, so you wish to know how to configure an OIDC provider in the account for IRSA as it accepts only a public URL.
I would like to mention that IAM roles for service accounts provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a Kubernetes service account and configure your pods to use the service account. To use AWS Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster that would be added as an Identity Provider at the IAM side.
Now, for self-managed EKS clusters, as of 1.16 Kubernetes does not include an OIDC discovery endpoint itself, so you will need to put your public signing key somewhere that AWS STS can discover it i.e. need to provide a public URL for the issuer. In order to achieve the same, as a workaround, you can put your signing keys as public objects in an S3 bucket. Firstly, as part of the OIDC spec, host an OIDC discovery and a keys JSON document. After you have the "keys.json" and "discovery.json" files, you'll need to place them in your bucket. It is critical these objects are public so, STS can access them. Please refer the Github link for step by step guidance on the same. Once you have done this, you can follow the process in the EKS documentation and substitute the cluster issuer with the S3 bucket issuer URL containing the keys json document("https://$ISSUER_HOSTPATH").
Hi Nikita, thanks for your response. I know that "as of 1.16 Kubernetes does not include an OIDC discovery endpoint itself" but my Kubernetes distro includes OIDC (and other platform services, like Dex for LDAP auth). I was wondering if I can use existing endpoint but I think no because it is fully private. Creating an S3 bucket as described is not easy because the issuer is already configured on the API Server with the internal OIDC endpoint.
- AWS OFFICIALUpdated 15 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a month ago
- EXPERTpublished 2 years ago