class: center, middle # K8s OIDC Endpoint ## Jason Smith ![](images/profile.png) .small-link[https://www.linkedin.com/in/jason-richard-smith] .small-link[https://github.com/jasonrichardsmith] .small-link[https://twitter.com/jasonrichardsmi] --- class: center, middle # Follow Along .xlarge-font[kubesec.jasonrichardsmith.org] --- class: center, middle # Intercluster Control? ![](images/k8s-2.png) ??? Who is doing this? How are you doing it? Controlling one cluster from the pod in another Want to do this? CI/CD? --- class: center, middle # OIDC Discovery - KEP ![](images/kep.png) .small-link[https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md] ??? This Kubernetes Enhancement Proposal covers the purpose of adding OIDC discovery in Kubernetes What I will be discussing today. --- class: center, middle # KEP .left[.large-font[ **Goals** - Allow (authorized) systems to discover the information they need to authenticate KSA tokens. - Attempt compatibility with OIDC: common libraries that authenticate OIDC tokens should be able to authenticate KSA tokens. - Support authentication when the API server is not directly reachable by the relying party. ]] .small-link[https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md] --- class: center, middle # OIDC Discovery - PR https://github.com/kubernetes/kubernetes/pull/80724 Feb 18, 2020 ![](images/merged.png) #### v1.18 --- class: center, middle # EKS and IRSA ![](images/irsa.png) .small-link[https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts] ??? Micah Hausler and Michael Hausenblas EKS and IAM introduced last year Introduced the same functionality IAM accepts oidc identities --- class: center, middle # Self Hosted OIDC ![](images/selfhosted.png) .small-link[https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md] ??? A guide how to run your own discovery endpoints **BUT This is static** --- class: center, middle # The Components .center[.inline-block[.left.large-font[ 1. OIDC Discovery Document 2. Projected Service Accounts 3. Client ]]] --- class: center # 1: OIDC Discovery Document .left[ .well-known/openid-configuration ```json { "issuer": "https://cluster.example.com", "jwks_uri": "https://cluster.example.com/openid/v1/jwks", "response_types_supported": [ "id_token" ], "subject_types_supported": [ "public" ], "id_token_signing_alg_values_supported": [ "RS256", "ES256" ], } ``` ] .small-link[https://openid.net/specs/openid-connect-discovery-1_0.html] --- class: center # 1: OIDC Discovery Document .left[ /openid/v1/jwks ```json { "keys": [ { "kty": "RSA", "alg": "RS256", "use": "sig", "kid": "ccab4acb107920dc284c96c6205b313270672039", "n": "wWGfvdCEjJJy...", "e": "AQAB" } ] } ``` ] .small-link[https://openid.net/specs/openid-connect-discovery-1_0.html] ??? The JSON Web Key Set (JWKS) is a set of keys which contains the public keys used to verify any JSON Web Token (JWT) issued by the authorization server and signed using the RS256 signing algorithm. --- class: center, top # 2: Projected Service Accounts .left[ ```json apiVersion: v1 kind: Pod metadata: name: a-pod spec: containers: - name: a-container image: container volumeMounts: - mountPath: "/var/run/secrets/myfolder/" name: psa-token volumes: - name: psa-token projected: sources: - serviceAccountToken: audience: "my.audience.here" expirationSeconds: 86400 path: token ``` ] .small-link[https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection] --- class: center, middle # 2. Projected Service Accounts ____ ## vs Service Accounts .large-font["You can specify desired properties of the token, such as the audience and the validity duration. These properties are not configurable on the default service account token."] .small-link[https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection] --- class: center, middle # 3. The Client... --- class: center, middle # The Process ![](images/process.png) --- class: center, middle # K8s - OIDC Provider ![](images/kube-api-oidc.png) .small-link[https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server] --- class: center, middle # The Process - With K8s ![](images/process-k8s.png) --- class: center, middle # Clients .center[.inline-block[.left.large-font[ - AWS - Kubernetes ]]] --- class: center, middle # Clients .large-font["We aren't trying to make the KSA token process fully compliant with OIDC specifications."] .small-link[https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md] --- class: center, middle # Clients .center[.inline-block[.left.large-font[ - AWS - Kubernetes ]]] --- class: center, middle # Control Patterns ![](images/octopus.png) --- class: center, middle # Control Patterns ![](images/octopus-cloud.png) --- class: center, middle .q-font[?]