keattang / eks-auth-proxy Goto Github PK
View Code? Open in Web Editor NEWA reverse proxy for authenticating access to a K8s API hosted on EKS with a third party login.
A reverse proxy for authenticating access to a K8s API hosted on EKS with a third party login.
I believe the aws cli command aws eks get-token --cluster-name <cluster-name>
is the preferred replacement.
When a user logs in via OIDC, the user presents a JSON Web Token (JWT) that includes "claims". The Kubernetes API allows you to configure the name of the group
claim and then maps the items in the group claim to Kubernetes RBAC roles.
It would be very helpful for eks-auth-proxy
to do something similar. Specifically, I would like to specify the name of a claim, which would evaluate to a list of strings, and have mappings from possible string values to AWS IAM roles. So a user with an "admin" claim might get mapped to arn:aws:iam::00000000000:role/admin
. Strings with no mapping would be ignored, and if there are multiple mappings, the user would be presented with a list in some consistent order. (So that the list appears the same for a user every time they log in, the list should be sorted somehow, although exactly how is less important.)
I am using and Okta OIDC provider, and using this to access the kubernetes-dashboard. Sometimes, for a while, the eks-auth-proxy emits this error to the log and I am unable to
retrieve a token for the dashboard to log in.
2020-05-09T19:57:54: PM2 log: Launching in no daemon mode
2020-05-09T19:57:54: PM2 log: App [index:0] starting in -fork mode-
2020-05-09T19:57:54: PM2 log: App [index:0] online
info: Proxying requests to http://kubernetes-dashboard
info: Proxy server running on port 3001
error: jwks_uri must be configured
If I kill the eks-auth-proxy pod a few times and let it restart, it will usually start working. Very little info seems available about what this error message means. I was able to find only one hit in Google (a near googlewhack?)
https://npmdoc.github.io/node-npmdoc-openid-client/build/apidoc.html
I assume okta is doing something bad, but then why does it fix itself after restarting the eks-auth-proxy a few times?
I updated from a much older version to v1.8.8, and now it does not appear that eks-auth-proxy forwards requests to the proxied server anymore. It does authenticated with the backend oidc provider, and fetches the eks auth token. But then it never makes a request with that information to the backend server. Downgraded eks-auth-proxy and it worked again. Something is up.
There's nothing useful in the --debug output to indicate why it's hanging. The last lines printed (with stuff omitted):
debug: Calling aws-iam-authenticator with
clusterName=...elided...
AWS_ACCESS_KEY_ID=...elided...
AWS_SECRET_ACCESS_KEY=...elided...
AWS_SESSION_TOKEN=...elided...
debug: Upstream request headers: {"x-forwarded-host":"...elided...","x-forwarded-proto":"http","x-forwarded-port":"80","x-forwarded-for":"::ffff:...elided...","sec-gpc":"1","cookie":"koa.sess=...elided...; koa.sess.sig=...elided...","accept-language":"en-US,en;q=0.9","accept-encoding":"gzip, deflate","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36","upgrade-insecure-requests":"1","dnt":"1","connection":"close","host":"kubernetes-dashboard:443","authorization":"Bearer k8s-aws-v1....elided..."}```
Kuberenetes Dashboard is unable to fully load do to CSP being included by the proxy. Although the Dashboard is functional, the UI is unusable because of the unloaded js.
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src-attr 'none'"
The fix was was removing app.use(helmet());
line in index.js
Line 34 in 4393f6a
I liked so much this project.
When trying to use this proxy as an external OAuth method (with the auth_request directive from Nginx, I realized that there is no endpoint to verify authentication.
Nginx needs an endpoint that returns 403 or 401 if auth failed. The proxy only returns 302 to /login whatever the path is.
Would it be possible to add this kind of endpoint? That will make this project valid to use with any kind of external auth method in EKS, securing all kinds of ingresses automatically.
Thanks for your work, cheers!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.