Configuring the #Kubernetes #OIDC provider

Published on 06 Mar 2025
Tags #kubernetes #oidc #authentication #workload #identity

XXX

XXX https://github.com/aws/amazon-eks-pod-identity-webhook

XXX S3 as per self-hosted setup https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md

XXX k8s is an oidc provider

XXX by default issuer is an IP address

XXX fix by adding --oidc-issuer-url=https://my-cluster.dille.io/ to kube-apiserver

XXX OIDC provider must offer .well-known/openid-configuration endpoint

XXX k8s builtin endpoint (kubectl get --raw /.well-known/openid-configuration | jq) is not compliant (missing authorization_endpoint):

XXX OIDC Discovery Spec https://openid.net/specs/openid-connect-discovery-1_0.html

{
  "issuer": "https://luigi.oidc.k8s.haufedev.systems",
  "jwks_uri": "https://10.11.8.209:6443/openid/v1/jwks",
  "response_types_supported": [
    "id_token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ]
}

XXX check JWKS endpoint using kubectl get --raw /openid/v1/jwks

XXX solution: fix /.well-known/openid-configuration endpoint and proxy /openid/v1/jwks

XXX provide .well-known/openid-configuration endpoint:

{
    "issuer": "https://$ISSUER_HOSTPATH/",
    "jwks_uri": "https://$ISSUER_HOSTPATH/keys.json",
    "authorization_endpoint": "urn:kubernetes:programmatic_authorization",
    "response_types_supported": [
        "id_token"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "claims_supported": [
        "sub",
        "iss"
    ]
}

XXX run web server with two documents

XXX create ingress with two paths

Nicholas Dille

Configuring the #Kubernetes #OIDC provider

Related Posts

Using #GitLab #OIDC to authenticate against #Kubernetes24 Feb 2025

My contributions at ContainerConf 2024 #CLC_Conf #GitLab #kubernetes #RBAC12 Nov 2024

Workshop about operating #GitLab (German)07 Nov 2024