This is a setup guide for amazon-eks-pod-identity-webhook on self-hosted k3s cluster
- https://github.com/aws/amazon-eks-pod-identity-webhook/tree/master
- https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md
The goal in this example is to config the pod to have full S3 access to the AWS account.
- Create an S3 bucket.
- Navigate to "Permissions" > "Block public access" and disable public ACL block.
- Enable ACLs by going to "Permissions" > "Object OwnershipInfo".
- Go to IAM > Identity providers > Add provider.
- Select "OpenID Connect".
- Input "Provider Name" as your S3 bucket URL, for example,
s3.us-east-1.amazonaws.com/test2023a
. - Set "Audiences" as
k3s
.
- Create a new IAM role.
- Name it as
myrole
. - Set up trusted entities.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<use the ARN of created identity provider>"
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
}
- Attach
AmazonS3FullAccess
policy to the role.
Details mentioned in command.sh
. This script will
- Install k3s
- Install cert manager.
- Install webhook.
- Create an identity provider with S3.
Examples:
discovery.json
{
"issuer": "https://s3.us-east-1.amazonaws.com/test2023a",
"jwks_uri": "https://s3.us-east-1.amazonaws.com/test2023a/keys.json",
"authorization_endpoint": "urn:kubernetes:programmatic_authorization",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"claims_supported": [
"sub",
"iss"
]
}
keys.json
{
"keys": [
{
"use": "sig",
"kty": "RSA",
"kid": "dChUxQw2A6HpqZamkglk2Iq_paXdv-CB6j7-9MzbiZE",
"alg": "RS256",
"n": "uqELZImmnbm-X4IoYOctoW5FbPWE0wBYtTeYxJrOEIkVIXS48Q5dL8Zoiv-5y87dnWVRm1upIVqVV9funsGDTeUfUPMc8LgAp3yp1SvcMttM3s32HMRotd6VhkpryRENQeCn7HxtbFCDOWiQJr0TVV1l1u0neyveyX_XWqMOdNH7GN9S_AHzyERCCpH9oykzgzIES87rnevnY8y243DhbZHFMRW3FG2STYyNQ06KX3hz7624DXpDxvXHtAd8iJeva_xA6oBO7ZpF7zzPvs3lfFie2leubK_bCAjlNXnaa6hLxSUVTclHoRgXx_B0bmqkqImUCQY-Yed1ij6l8XlMKQ",
"e": "AQAB"
},
{
"use": "sig",
"kty": "RSA",
"kid": "",
"alg": "RS256",
"n": "uqELZImmnbm-X4IoYOctoW5FbPWE0wBYtTeYxJrOEIkVIXS48Q5dL8Zoiv-5y87dnWVRm1upIVqVV9funsGDTeUfUPMc8LgAp3yp1SvcMttM3s32HMRotd6VhkpryRENQeCn7HxtbFCDOWiQJr0TVV1l1u0neyveyX_XWqMOdNH7GN9S_AHzyERCCpH9oykzgzIES87rnevnY8y243DhbZHFMRW3FG2STYyNQ06KX3hz7624DXpDxvXHtAd8iJeva_xA6oBO7ZpF7zzPvs3lfFie2leubK_bCAjlNXnaa6hLxSUVTclHoRgXx_B0bmqkqImUCQY-Yed1ij6l8XlMKQ",
"e": "AQAB"
}
]
}
- Configure apiserver to use the identity provider.
Details are in test.sh
.
- Apply
test.yaml
to create test pod and sa. Make sure the webhook is running. If it's not, re-install the cert manager and webhook by re-running the command.
[root@node2 ~]# kubectl get po,sa
NAME READY STATUS RESTARTS AGE
pod/pod-identity-webhook-c4fb89547-rxdcz 1/1 Running 0 13m
pod/my-pod 1/1 Running 0 4m54s
NAME SECRETS AGE
serviceaccount/default 0 14m
serviceaccount/pod-identity-webhook 0 13m
serviceaccount/mysa 0 4m54s
- Install AWS CLI.
[root@node2 ~]# kubectl exec my-pod -- apk add aws-cli
OK: 143 MiB in 42 packages
- Test it by listing the contents of the S3 bucket and get caller-identity.
[root@node2 ~]# kubectl exec my-pod -- aws sts get-caller-identity
{
"UserId": "AROATKPGOJR2CXJBT2DPN:botocore-session-1683672493",
"Account": "<ACCOUNT_ID>",
"Arn": "arn:aws:sts::<ACCOUNT_ID>:assumed-role/myrole/botocore-session-1683672493"
}
[root@node2 ~]# kubectl exec my-pod -- aws s3 ls
2023-05-09 21:58:22 test2023a
- If the call to other AWS services, it should fail.
[root@node2 ~]# kubectl exec my-pod -- aws ec2 describe-instances --region us-east-1
An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.
command