Deploying the AWS IAM Authenticator to Elastickube

Hung-Tao Hsieh
Sep 25, 2018 · 5 min read

Managing authentication is an important task, requiring admins to maintain a list of acceptable users, validate permissions for each user, prune users that don’t need access, and even periodically revoke token and certificate-based access. The more systems need to be managed, the more complicated these tasks become. That is why we need to integrate AWS-IAM-Authenticator into Kubernetes, which allows you to have federated authentication using AWS IAM.

Getting started

To get started, we’re going to need a Kubernetes cluster, and the easiest way to get this up and running is to use Elastickube on Vishwakarma repository.

Vishwakarma can be used to create a Kubernetes cluster in AWS by leveraging HashiCorp Terraform and CoreOS. And There are two kinds of Kubernetes Masters within vishwakarma, one leverages AWS EKS, the other one is ElastiKube (Self-Hosted). Elastickube is very robust, the HA is supported on master nodes, etcd, and worker nodes.

Install Elastickube

We need to get the Elastickube repository. The easiest way is using git clone.

AWS-IAM-Authenticator uses webhook token authentication to verify a user. So we have to add the webhook flag into api-server(--authentication-token-webhook-config-file). It's very easy to integrate webhook token authentication on Elastickube. More details are provided in PR.

Deployment in Elastickube is as simple as the following command.

Install kubectl on ubuntu/MacOS

You will also need the Kubernetes command line tool, kubectl; you can install this using following command. For other platform, please refer to here

Ubuntu

MacOS

Install AWS-IAM-Authenticator

The second dependency we need to install is the AWS-IAM-Authenticator on client side. The easiest way to install this as of this writing is using curl. You can use the following command to do this:

Linux

MacOS

Install AWS User Credentials

The last dependency is to create user credentials. You must create a user profile on your local computer. The configuration file should be in the following format:

Create Authentication Policy on Kubernetes

Now we can test that our default kubeAdmin user still has access to the cluster by running kubectl get nodes. This should return the nodes that are connected to your cluster. Otherwise, it should receive an unauthorized error.

We must create a ConfigMap that defines the AWS IAM users(Bob) who have access to the cluster.

Then, you can use kubectl apply to push your configuration changes to the cluster.

After deployed, we need to make a new user in our kubeconfig. Do so by opening kubeconfig with your editor. Remove the kubelet user and add the following.

At the same time, we should replace each context user with kubeAdmin.

Being of great success, we can test authenticating against our cluster.

To verify an invalid user, we can modify the ConfigMap by kubectl edit

Amend the user ARN with an invalid ARN.

Run kubectl get nodes again.

Teardown

If you’d like to continue to use this cluster, you can leave it running. If you’d like to shut the cluster down, you can run the following command:

Reference

Future works

command: kubectl get

It will return No resource found when invalid user runs kubectl get. Such as:

It’s seem like a bug or by design, we can skip it with flag(--ignore-not-found). For example:

Not sure if it is expected since this situation has not occurred in kubectl create or kubectl delete.

command: kubectl create

command: kubectl delete

getamis

Using breakthrough blockchain technology, Amis has created a standardized platform to let business create information exchange systems and make transaction data open and shareable to improve the quality of life for everyone.

Thanks to Yu-Te Lin

Hung-Tao Hsieh

Written by

getamis

getamis

Using breakthrough blockchain technology, Amis has created a standardized platform to let business create information exchange systems and make transaction data open and shareable to improve the quality of life for everyone.

More From Medium

More on English from getamis

More on English from getamis

A Hierarchical Threshold Signature

More on English from getamis

More on English from getamis

LibraBridge: Connect Libra with Ethereum

135

More on English from getamis

More on English from getamis

Verify a Libra Transaction

徐粲邦
Oct 3, 2019 · 9 min read

460

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade