keattang / eks-auth-proxy Goto Github PK

I believe the aws cli command aws eks get-token --cluster-name <cluster-name> is the preferred replacement.

When a user logs in via OIDC, the user presents a JSON Web Token (JWT) that includes "claims". The Kubernetes API allows you to configure the name of the group claim and then maps the items in the group claim to Kubernetes RBAC roles.

It would be very helpful for eks-auth-proxy to do something similar. Specifically, I would like to specify the name of a claim, which would evaluate to a list of strings, and have mappings from possible string values to AWS IAM roles. So a user with an "admin" claim might get mapped to arn:aws:iam::00000000000:role/admin. Strings with no mapping would be ignored, and if there are multiple mappings, the user would be presented with a list in some consistent order. (So that the list appears the same for a user every time they log in, the list should be sorted somehow, although exactly how is less important.)

I am using and Okta OIDC provider, and using this to access the kubernetes-dashboard. Sometimes, for a while, the eks-auth-proxy emits this error to the log and I am unable to
retrieve a token for the dashboard to log in.

2020-05-09T19:57:54: PM2 log: Launching in no daemon mode
2020-05-09T19:57:54: PM2 log: App [index:0] starting in -fork mode-
2020-05-09T19:57:54: PM2 log: App [index:0] online
info:    Proxying requests to http://kubernetes-dashboard
info:    Proxy server running on port 3001
error:   jwks_uri must be configured

If I kill the eks-auth-proxy pod a few times and let it restart, it will usually start working. Very little info seems available about what this error message means. I was able to find only one hit in Google (a near googlewhack?)
https://npmdoc.github.io/node-npmdoc-openid-client/build/apidoc.html

I assume okta is doing something bad, but then why does it fix itself after restarting the eks-auth-proxy a few times?

I updated from a much older version to v1.8.8, and now it does not appear that eks-auth-proxy forwards requests to the proxied server anymore. It does authenticated with the backend oidc provider, and fetches the eks auth token. But then it never makes a request with that information to the backend server. Downgraded eks-auth-proxy and it worked again. Something is up.

There's nothing useful in the --debug output to indicate why it's hanging. The last lines printed (with stuff omitted):

debug:   Calling aws-iam-authenticator with
        clusterName=...elided...
        AWS_ACCESS_KEY_ID=...elided...
        AWS_SECRET_ACCESS_KEY=...elided...
        AWS_SESSION_TOKEN=...elided...
debug:   Upstream request headers: {"x-forwarded-host":"...elided...","x-forwarded-proto":"http","x-forwarded-port":"80","x-forwarded-for":"::ffff:...elided...","sec-gpc":"1","cookie":"koa.sess=...elided...; koa.sess.sig=...elided...","accept-language":"en-US,en;q=0.9","accept-encoding":"gzip, deflate","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36","upgrade-insecure-requests":"1","dnt":"1","connection":"close","host":"kubernetes-dashboard:443","authorization":"Bearer k8s-aws-v1....elided..."}```

Kuberenetes Dashboard is unable to fully load do to CSP being included by the proxy. Although the Dashboard is functional, the UI is unusable because of the unloaded js.

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src-attr 'none'"

The fix was was removing app.use(helmet()); line in index.js

I liked so much this project.

When trying to use this proxy as an external OAuth method (with the auth_request directive from Nginx, I realized that there is no endpoint to verify authentication.

Nginx needs an endpoint that returns 403 or 401 if auth failed. The proxy only returns 302 to /login whatever the path is.

Would it be possible to add this kind of endpoint? That will make this project valid to use with any kind of external auth method in EKS, securing all kinds of ingresses automatically.

Thanks for your work, cheers!