The context is enabling authenticated and authorized access to Kubernetes Dashboard in an AWS EKS instance via an AWS ALB configured with OIDC authenticate.
The Kubernetes Dashboard is being protected by an AWS ELBv2 load balancer. It is created and configured by Ingress resource and the ALB Controller v2 (v2.2.3). This works.
FWIW: We are Azure AD as the IdP.
We are also using the OIDC Provider configuration on the Kubernetes (EKS) API. We are successfully using OIDC authenticated access from kubectl to access the API and apply RBAC.
We are using ClusterRoleBinding to test with Cluster Admin users.
Authentication works.
However, the Kubernetes Dashboard still presents its internal token challenge page, because it does not get the Access Token, because the ALB removed it and put it in the X-AMZN-OIDC-* header.
We had some success with:
alb.ingress.kubernetes.io/configuration-snippet:
auth_request_set $token $upstream_http_authorization;
proxy_set_header Authorization $token;
proxy_pass_header Authorization;
Is this the best way to do this?
Is there a better way to configure the ALB to attach the Access Token it obtained from the IdP's token endpoint as an Authorization: Bearer <token>, rather than in a separate header?
