AWS-EKS-03--创建 IAM OIDC 身份提供商

摘要

为集群创建 IAM OIDC 身份提供商

  • 要使用某些 Amazon EKS 附加组件,或启用个别 Kubernetes 工作负载以具有特定 AWS Identity and Access Management(IAM)权限,请为集群创建 IAM OpenID Connect(OIDC)提供商。

  • 只需为集群创建一次 IAM OIDC 提供商。

  • 确定您的账户中是否已存在具有您的集群 ID 的 IAM OIDC 提供商

1
2
3
4
# 确定集群是否拥有现有 IAM OIDC 提供商。检索集群的 OIDC 提供商 ID 并将其存储在变量中
$ oidc_id=$(aws eks describe-cluster --name eks-lexing --profile eks-us-west-2 --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
# 如果下面的命令返回了输出,则表示您的集群已经有 IAM OIDC 提供商,您可以跳过下一步。如果没有返回输出,则您必须为集群创建 IAM OIDC 提供商。
$ aws iam --profile eks-us-west-2 list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4
  • 使用以下命令为您的集群创建 IAM OIDC 身份提供商

1
2
3
4
5
6
7
8
9
10
$ eksctl utils associate-iam-oidc-provider --cluster eks-lexing --profile eks-us-west-2 --approve
2023-06-28 15:38:20 [ℹ] will create IAM Open ID Connect provider for cluster "eks-lexing" in "us-west-2"
2023-06-28 15:38:21 [✔] created IAM Open ID Connect provider for cluster "eks-lexing" in "us-west-2"

# 查看集群的 OIDC 提供商 URL,如果该命令返回为空,则说明尚未创建IAM OIDC 身份提供商
$ aws eks describe-cluster --name eks-lexing --query "cluster.identity.oidc.issuer" --output text --profile eks-us-west-2
https://oidc.eks.us-west-2.amazonaws.com/id/1029FF88CB8725555A1CC65D44191A56

$ aws iam --profile eks-us-west-2 list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4
1029FF88CB8725555A1CC65D44191A56"

查看OIDC元数据

  • 在集群的 OIDC 提供商 URL后面加上/.well-known/openid-configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ curl https://oidc.eks.us-west-2.amazonaws.com/id/1029FF88CB8725555A1CC65D44191A56/.well-known/openid-configuration -s| python -m json.tool
{
"authorization_endpoint": "urn:kubernetes:programmatic_authorization",
"claims_supported": [
"sub",
"iss"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"issuer": "https://oidc.eks.us-west-2.amazonaws.com/id/1029FF88CB8725555A1CC65D44191A56",
"jwks_uri": "https://oidc.eks.us-west-2.amazonaws.com/id/1029FF88CB8725555A1CC65D44191A56/keys",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
]
}
  • 然后查看jwks_uri中的url,这里的keys就是 IAM 用来验证 EKS service account 发送过来的 ID_token 是否有效的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
curl https://oidc.eks.us-west-2.amazonaws.com/id/1029FF88CB8725555A1CC65D44191A56/keys -s | python -m json.tool
{
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"kid": "4e49f2d2c6c8550c55556b01637a93a8a4f941e5",
"kty": "RSA",
"n": "rEKprAR5nRAHfulQyyI9unXUNpczPCKZO8hXVuTiKrwlzdI7pETs6g0hWQaKe96n4p-KERF-dc-KajboMqrCfsff7boVJdnA9k8CljwKvt-5ILyXe07ASZQkkbDgpY30GNvMB7tbhiwkaNjuBzrLsO2Ipom5rzlK3i6rjHxp3O94BgMbMMt4trvWtJ9vmhWILihkl_e8--5JOOzjjeNcrNoK_o5LxbHSetaALoGAk-XbCmUeFDWvLQ",
"use": "sig"
},
{
"alg": "RS256",
"e": "AQAB",
"kid": "831cd2c5a14af3ff3ee5555ab1edf6dc7d7fb54d",
"kty": "RSA",
"n": "xdlnMmc1lUGyVlt58621Arf-2Ytxxe5HCiBguYe1Y4DYvfxTzknH3x07Q1sMQLNGHV_4d-bT29ufhAnht6AaLcuxtxaonEcMArh95bnuau6-GFMe06XaBYlMDoTcf_czTGdI4On7veJtMpSsNlHNj507Jn6mcH8TGHIl6qRwj9NZSaoADrkDO87O-w71l1c2a3m0us1vWir0QJdZ3J2al4k1Qm7KZT-dN9rs2LquQS0s6MTX-VdQLFb",
"use": "sig"
},
{
"alg": "RS256",
"e": "AQAB",
"kid": "eba5269e0fedd9431af2755550dd09f85bec7ad0",
"kty": "RSA",
"n": "qzfrIdEsOebdO243KkkGOl8r1rXiErQXwjK0RspvrX6roV6uJg6gBT0qBN7nM1J92WNVNte-3UhcBfm_hdBHRfib8zN_AvMNZ04Yc76hri7xTqa1iHFLl8823YEBnP_FSM97rdzsz_wCNkBM8bzsD-Cg4KMqrrY_qzFFymBRHPklBLyJudJN1zv8_dCXbDzBKtQo8UklM3MuSLsIf1TZGDbpemEpvNO-mu9UDVEccw0oeMPPKx6K_br",
"use": "sig"
}
]
}