Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 19. Integrating RHACS using short-lived tokens

With Red Hat Advanced Cluster Security for Kubernetes (RHACS) you can authenticate against selected cloud provider APIs using short-lived tokens. RHACS supports the following cloud provider integrations:

  • Amazon Web Services (AWS) using the Secure Token Service (STS)
  • Google Cloud using workload identity federation
  • Microsoft Azure using Microsoft Entra ID with managed identities

RHACS supports short-lived token integrations only when you install RHACS on the following platforms:

  • Elastic Kubernetes Service (EKS) on AWS
  • Google Kubernetes Engine (GKE) on GCP
  • Microsoft Azure Kubernetes Service (AKS)
  • OpenShift Container Platform

To activate short-lived authentication, you must establish trust between your Kubernetes or OpenShift Container Platform cluster and your cloud provider. For EKS, GKE and AKS clusters, use the cloud provider metadata service. For OpenShift Container Platform clusters, you need a publicly available OpenID Connect (OIDC) provider bucket containing the OpenShift Container Platform service account signer key.

Note

You must establish trust with your cloud provider for every Central cluster that uses the short-lived token integration. However, if you use delegated scanning in combination with short-lived token image integrations, you must also establish trust for the Sensor cluster.

19.1. Configuring AWS Secure Token Service
Copia collegamento

RHACS integrations can authenticate against Amazon Web Services using the Secure Token Service. You must configure AssumeRole with RHACS before enabling the Use container IAM role option in integrations.

Important

Verify that the AWS role associated with the RHACS pod must have the IAM permissions required by the integration. For example, to set up a container role for integrating with the Elastic Container Registry, enable full read access to the registry. For more information about AWS IAM roles, see IAM roles.

19.1.1. Configuring Elastic Kubernetes Service (EKS)
Copia collegamento

When running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on EKS, you can configure short-lived tokens through the Amazon Secure Token Service.

Note

If you use Kubernetes, enter kubectl instead of oc.

Procedure

  1. Run the following command to enable the IAM OpenID Connect (OIDC) provider for your EKS cluster: 

    $ eksctl utils associate-iam-oidc-provider --cluster <cluster_name> --approve
  2. Create an IAM role for your EKS cluster.

  3. Edit the permission policy of the role and grant the permissions required by the integration. For example: 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:ListImages"
            ],
            "Resource": "arn:aws:iam::<ecr_registry>:role/<role_name>"
        }
    ]
}

  4. Update the trust relationship for the role that you want to assume: 

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<ecr-registry>:role/<role_name>"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    where:

    <ecr-registry>
    Specifies the <role_name>, which should match with the new role that you have created in the earlier steps.

  5. Enter the following command to associate the newly created role with a service account: 

    $ oc -n stackrox annotate sa central eks.amazonaws.com/role-arn=arn:aws:iam::67890:role/<role_name>

  6. Enter the following command to restart the Central pod and apply the changes: 

    $ oc -n stackrox delete pod -l "app in (central,sensor)"

19.1.2. Configuring OpenShift Container Platform
Copia collegamento

When running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on OpenShift Container Platform, you can configure short-lived tokens through the Amazon Secure Token Service.

Prerequisites

  • You must have a public OpenID Connect (OIDC) configuration bucket with the OpenShift Container Platform service account signer key. To get the OIDC configuration for the OpenShift Container Platform cluster, Red Hat recommends using the instructions at Cloud Credential Operator in manual mode for short-term credentials.
  • You must have access to AWS IAM and the permissions to create and change roles.

Procedure

  1. Follow the instructions at Creating OpenID Connect (OIDC) identity providers to create web identity of the OpenShift Container Platform cluster. Use openshift as the value for Audience.
  2. Create an IAM role for the web identity of the OpenShift Container Platform cluster.

  3. Edit the permission policy of the role and grant the permissions required by the integration. For example: 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:ListImages"
            ],
            "Resource": "arn:aws:iam::<ecr_registry>:role/<role_name>"
        }
    ]
}

  4. Update the trust relationship for the role that you want to assume: 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "<oidc_provider_arn>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "<oidc_provider_name>:aud": "openshift"
                }
            }
        }
    ]
}

  5. Set the following RHACS environment variables on the Central or Sensor deployment: 

    AWS_ROLE_ARN=<role_arn>
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/openshift/serviceaccount/token

19.2. Configuring Google workload identity federation
Copia collegamento

RHACS integrations can authenticate against the Google Cloud by using workload identities. Select the Use workload identity option upon creation to enable workload identity authentication in a Google Cloud integration.

Important

The Google service account associated with the RHACS pod through the workload identity must have the IAM permissions required by the integration. For example, to set up a workload identity for integrating with Google Artifact Registry, connect a service account with the roles/artifactregistry.reader role. For more information about Google IAM roles see Configure roles and permissions.

19.2.1. Configuring Google Kubernetes Engine (GKE)
Copia collegamento

When running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on GKE, you can configure short-lived tokens through Google workload identities.

Note

If you use Kubernetes, enter kubectl instead of oc.

Prerequisites

  • You must have access to the Google Cloud project containing the cluster and integration resources.

Procedure

  1. Follow the instructions in the Google Cloud documentation to Use workload identity federation for GKE.

  2. Annotate the RHACS service account by running the following command: 

    $ oc annotate serviceaccount \
    central \
    --namespace stackrox \
    iam.gke.io/gcp-service-account=<GSA_NAME>@<GSA_PROJECT>.iam.gserviceaccount.com
    Important

    When setting up delegated scanning, use sensor instead of central.

19.2.2. Configuring OpenShift Container Platform
Copia collegamento

You can configure short-lived tokens through Google workload identities when running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on OpenShift Container Platform.

Prerequisites

  • You must have a public OIDC configuration bucket with the OpenShift Container Platform service account signer key. The recommended way to obtain the OIDC configuration for the OpenShift Container Platform cluster is to use the Cloud Credential Operator in manual mode for short-term credentials instructions.
  • Access to a Google Cloud project with the roles/iam.workloadIdentityPoolAdmin role.

Procedure

  1. Follow the instructions at Manage workload identity pools to create a workload identity pool. For example: 

    $ gcloud iam workload-identity-pools create rhacs-pool \
    --location="global" \
    --display-name="RHACS workload pool"

  2. Follow the instructions at Manage workload identity pool providers to create a workload identity pool provider. For example: 

    $ gcloud iam workload-identity-pools providers create-oidc rhacs-provider \
    --location="global" \
    --workload-identity-pool="rhacs-pool" \
    --display-name="RHACS provider" \
    --attribute-mapping="google.subject=assertion.sub" \
    --issuer-uri="https://<oidc_configuration_url>" \
    --allowed-audiences=openshift

  3. Connect a Google service account to the workload identity pool. For example: 

    $ gcloud iam service-accounts add-iam-policy-binding <GSA_NAME>@<GSA_PROJECT>.iam.gserviceaccount.com \
    --role roles/iam.workloadIdentityUser \
    --member="principal://iam.googleapis.com/projects/<GSA_PROJECT_NUMBER>/locations/global/workloadIdentityPools/rhacs-provider/subject/system:serviceaccount:stackrox:central"

    where:

    <system:serviceaccount:stackrox:central>
    Specifies the subject. For delegated scanning, you must set the subject to system:serviceaccount:stackrox:sensor.

  4. Create a service account JSON containing the Security token service (STS) configuration. For example: 

    {
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/<GSA_PROJECT_ID>/locations/global/workloadIdentityPools/rhacs-pool/providers/rhacs-provider",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<GSA_NAME>@<GSA_PROJECT>.iam.gserviceaccount.com:generateAccessToken",
  "credential_source": {
    "file": "/var/run/secrets/openshift/serviceaccount/token",
    "format": {
      "type": "text"
    }
  }
}

  5. Use the service account JSON as a secret to the RHACS namespace: 

    apiVersion: v1
kind: Secret
metadata:
  name: gcp-cloud-credentials
  namespace: stackrox
data:
  credentials: <base64_encoded_json>

19.3. Configuring Microsoft Entra ID federation
Copia collegamento

RHACS integrations can authenticate to Microsoft Azure by using managed or workload identities. Select the Use workload identity checkbox during the creation of a new Microsoft Azure Container Registry (ACR) integration, if you want to enable authentication by using managed or workload identities in a Microsoft Azure integration.

For more information about Azure managed identities, see What are managed identities for Azure resources? (Microsoft Azure documentation).

For more information about Azure workload identities, see Workload identity federation (Microsoft Azure documentation).

Important

The identity associated with the RHACS pod through the workload identity must have the IAM permissions for the integration. For example, to set up a workload identity for integrating with Microsoft ACR, assign the Reader role over a scope that includes the registry.

For more information about Microsoft Azure IAM roles, see Azure RBAC documentation (Microsoft Azure documentation).

19.3.1. Configuring Microsoft Azure Kubernetes Service
Copia collegamento

By running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on Microsoft Azure Kubernetes Service (AKS), you can configure short-lived tokens by using Microsoft Entra ID managed identities.

Note

If you use Kubernetes, enter kubectl instead of oc.

Prerequisites

  • You have access to the cluster and integration resources within Microsoft Azure.

Procedure

  1. Create a trust relationship between the external IdP and a user-assigned managed identity or application in Microsoft Entra ID.

    For more information, see Workload identity federation (Microsoft Azure documentation).

  2. Annotate the RHACS service account by running the following command:

    Important

    When setting up the delegated scanning, use sensor instead of central. 

    $ oc annotate serviceaccount \
    central \
    --namespace stackrox \
    azure.workload.identity/client-id=<CLIENT_ID>

    where:

    <CLIENT_ID>
    Specifies the client ID of the associated identity.

    Example output

    serviceaccount/central annotated

19.3.2. Configuring OpenShift Container Platform
Copia collegamento

By running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on OpenShift Container Platform, you can configure short-lived tokens by using Microsoft Entra ID managed identities.

Prerequisites

  • You have a public OpenID Connect (OIDC) configuration bucket with the OpenShift Container Platform service account signer key.

    For more information, see "Manual mode with short-term credentials for components" in OpenShift Container Platform documentation.

  • You have a Microsoft Entra ID user-assigned managed identity.
  • You have access to a Microsoft Azure subscription with the permission to assign role assignments.

Procedure

  • To add the federated identity credentials to a user-assigned managed identity, run the following command, for example:

    Important

    When setting up the delegated scanning, set the subject to system:serviceaccount:stackrox:sensor. 

    $ az identity federated-credential create \
    --name "${FEDERATED_CREDENTIAL_NAME}" \
    --identity-name "${MANAGED_IDENTITY_NAME}" \
    --resource-group "${RESOURCE_GROUP}" \
    --issuer "${OIDC_ISSUER_URL}" \
    --subject system:serviceaccount:stackrox:central \
    --audience openshift

    where:

    --identity-name
    Specifies the identity name. The managed identity must have all the permissions for federation.
    --issuer
    Specifies the issuer. The issuer must match the service account token issuer of the OpenShift Container Platform cluster.

    For more information about how to configure short-lived tokens by using Microsoft Entra ID managed identities, see Configure a user-assigned managed identity to trust an external identity provider (Microsoft Azure documentation).

Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima