AWS-EKS-03--创建 IAM OIDC 身份提供商

发表于 更新于 分类于 置顶 精品
阅读次数: 本文字数: 709 阅读时长 ≈ 3 分钟

摘要

为集群创建 IAM OIDC 身份提供商

  • 要使用某些 Amazon EKS 附加组件,或启用个别 Kubernetes 工作负载以具有特定 AWS Identity and Access Management(IAM)权限,请为集群创建 IAM OpenID Connect(OIDC)提供商。

  • 只需为集群创建一次 IAM OIDC 提供商。

  • 确定您的账户中是否已存在具有您的集群 ID 的 IAM OIDC 提供商

1
2
3
4
# 确定集群是否拥有现有 IAM OIDC 提供商。检索集群的 OIDC 提供商 ID 并将其存储在变量中
$ oidc_id=$(aws eks describe-cluster --name eks-lexing --profile eks-us-west-2 --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
# 如果下面的命令返回了输出,则表示您的集群已经有 IAM OIDC 提供商,您可以跳过下一步。如果没有返回输出,则您必须为集群创建 IAM OIDC 提供商。
$ aws iam --profile eks-us-west-2 list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4

  • 使用以下命令为您的集群创建 IAM OIDC 身份提供商

1
2
3
4
5
6
7
8
9
10
$ eksctl utils associate-iam-oidc-provider --cluster eks-lexing --profile eks-us-west-2 --approve
2023-06-28 15:38:20 [ℹ]  will create IAM Open ID Connect provider for cluster "eks-lexing" in "us-west-2"
2023-06-28 15:38:21 [✔]  created IAM Open ID Connect provider for cluster "eks-lexing" in "us-west-2"

# 查看集群的 OIDC 提供商 URL,如果该命令返回为空,则说明尚未创建IAM OIDC 身份提供商
$ aws eks describe-cluster --name eks-lexing --query "cluster.identity.oidc.issuer" --output text --profile eks-us-west-2
https://oidc.eks.us-west-2.amazonaws.com/id/1029FF88CB8725555A1CC65D44191A56

$ aws iam --profile eks-us-west-2 list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4
1029FF88CB8725555A1CC65D44191A56"

查看OIDC元数据

  • 在集群的 OIDC 提供商 URL后面加上/.well-known/openid-configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ curl https://oidc.eks.us-west-2.amazonaws.com/id/1029FF88CB8725555A1CC65D44191A56/.well-known/openid-configuration -s| python -m json.tool
{
    "authorization_endpoint": "urn:kubernetes:programmatic_authorization",
    "claims_supported": [
        "sub",
        "iss"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "issuer": "https://oidc.eks.us-west-2.amazonaws.com/id/1029FF88CB8725555A1CC65D44191A56",
    "jwks_uri": "https://oidc.eks.us-west-2.amazonaws.com/id/1029FF88CB8725555A1CC65D44191A56/keys",
    "response_types_supported": [
        "id_token"
    ],
    "subject_types_supported": [
        "public"
    ]
}

  • 然后查看jwks_uri中的url,这里的keys就是 IAM 用来验证 EKS service account 发送过来的 ID_token 是否有效的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
curl https://oidc.eks.us-west-2.amazonaws.com/id/1029FF88CB8725555A1CC65D44191A56/keys -s | python -m json.tool
{
    "keys": [
        {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "4e49f2d2c6c8550c55556b01637a93a8a4f941e5",
            "kty": "RSA",
            "n": "rEKprAR5nRAHfulQyyI9unXUNpczPCKZO8hXVuTiKrwlzdI7pETs6g0hWQaKe96n4p-KERF-dc-KajboMqrCfsff7boVJdnA9k8CljwKvt-5ILyXe07ASZQkkbDgpY30GNvMB7tbhiwkaNjuBzrLsO2Ipom5rzlK3i6rjHxp3O94BgMbMMt4trvWtJ9vmhWILihkl_e8--5JOOzjjeNcrNoK_o5LxbHSetaALoGAk-XbCmUeFDWvLQ",
            "use": "sig"
        },
        {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "831cd2c5a14af3ff3ee5555ab1edf6dc7d7fb54d",
            "kty": "RSA",
            "n": "xdlnMmc1lUGyVlt58621Arf-2Ytxxe5HCiBguYe1Y4DYvfxTzknH3x07Q1sMQLNGHV_4d-bT29ufhAnht6AaLcuxtxaonEcMArh95bnuau6-GFMe06XaBYlMDoTcf_czTGdI4On7veJtMpSsNlHNj507Jn6mcH8TGHIl6qRwj9NZSaoADrkDO87O-w71l1c2a3m0us1vWir0QJdZ3J2al4k1Qm7KZT-dN9rs2LquQS0s6MTX-VdQLFb",
            "use": "sig"
        },
        {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "eba5269e0fedd9431af2755550dd09f85bec7ad0",
            "kty": "RSA",
            "n": "qzfrIdEsOebdO243KkkGOl8r1rXiErQXwjK0RspvrX6roV6uJg6gBT0qBN7nM1J92WNVNte-3UhcBfm_hdBHRfib8zN_AvMNZ04Yc76hri7xTqa1iHFLl8823YEBnP_FSM97rdzsz_wCNkBM8bzsD-Cg4KMqrrY_qzFFymBRHPklBLyJudJN1zv8_dCXbDzBKtQo8UklM3MuSLsIf1TZGDbpemEpvNO-mu9UDVEccw0oeMPPKx6K_br",
            "use": "sig"
        }
    ]
}