Kubernetes
Tokenless Authentication to Kubernetes using SAML.to
Last updated
Tokenless Authentication to Kubernetes using SAML.to
Last updated
The SAML.to or can be used for authentication to the Kubernetes Control Plane and be used with any tool that supports a kubeconfig
file (such as kubectl
, helm
, k9s
, etc.).
This document will detail how to use SAML.to to authenticate to the Kubernetes Control Plane for Tokenless authentication.
to your GitHub Organization or User Account
that will be used to access Kubernetes
Grant yourself access in saml-to.yml
for Testing purposes
At a minimum, allow the role the eks:DescribeCluster
permission
A Kubernetes Cluster and the ability to run kubectl
commands on it
Create a kubernetes-admin
role (or whatever name you prefer) that has a .
At a minimum, the role needs permission to eks:DescribeCluster
:
Then, in saml-to.yml
, grant access to GitHub Users to assume that role:
Ensure the role is functional:
For brevity, these instructions will detail on how to map an IAM role to the system:masters
group for full administrative control over Kubernetes.
In Kubernetes best practices, it is not recommended to grant access to system:masters
.
Any group configuration is supported. Refer to the Kubernetes documentation for details on creating/using Cluster Roles and Cluster Role Bindings.
If the system was provisioned by AWS EKS, you should have an aws-auth
ConfigMap in the kube-system
namespace:
Add a section to mapRoles
allowing the desired role access to the system:masters
group:
Run saml-to
before kubectl
commands as you normally would:
Kubernetes will do the rest of the work and map the active role in the Terminal Session to a group permission level as defined in mapRoles
!
A repository can also be granted access to the role. In your user's or organizations saml-to.yml
, grant access for the Repository to gain access to the role:
Using the with the --headless
flag will update your Terminal Session with temporary AWS Session Tokens:
Then, in the GitHub action, use the to assume the role:
!