Red Hat Summit19장. Integrating RHACS using short-lived tokens
With Red Hat Advanced Cluster Security for Kubernetes (RHACS) you can authenticate against selected cloud provider APIs using short-lived tokens. RHACS supports the following cloud provider integrations:
- Amazon Web Services (AWS) using the Secure Token Service (STS)
- Google Cloud using workload identity federation
- Microsoft Azure using Microsoft Entra ID with managed identities
RHACS supports short-lived token integrations only when you install RHACS on the following platforms:
- Elastic Kubernetes Service (EKS) on AWS
- Google Kubernetes Engine (GKE) on GCP
- Microsoft Azure Kubernetes Service (AKS)
- OpenShift Container Platform
To activate short-lived authentication, you must establish trust between your Kubernetes or OpenShift Container Platform cluster and your cloud provider. For EKS, GKE and AKS clusters, use the cloud provider metadata service. For OpenShift Container Platform clusters, you need a publicly available OpenID Connect (OIDC) provider bucket containing the OpenShift Container Platform service account signer key.
You must establish trust with your cloud provider for every Central cluster that uses the short-lived token integration. However, if you use delegated scanning in combination with short-lived token image integrations, you must also establish trust for the Sensor cluster.
19.1. Configuring AWS Secure Token Service
RHACS integrations can authenticate against Amazon Web Services using the Secure Token Service. You must configure AssumeRole with RHACS before enabling the Use container IAM role option in integrations.
Verify that the AWS role associated with the RHACS pod must have the IAM permissions required by the integration. For example, to set up a container role for integrating with the Elastic Container Registry, enable full read access to the registry. For more information about AWS IAM roles, see IAM roles.
19.1.1. Configuring Elastic Kubernetes Service (EKS)
When running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on EKS, you can configure short-lived tokens through the Amazon Secure Token Service.
If you use Kubernetes, enter kubectl instead of oc.
Procedure
Run the following command to enable the IAM OpenID Connect (OIDC) provider for your EKS cluster:
$ eksctl utils associate-iam-oidc-provider --cluster <cluster_name> --approve- Create an IAM role for your EKS cluster.
Edit the permission policy of the role and grant the permissions required by the integration. For example:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:ListImages" ], "Resource": "arn:aws:iam::<ecr_registry>:role/<role_name>" } ] }Update the trust relationship for the role that you want to assume:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<ecr-registry>:role/<role_name>" ] }, "Action": "sts:AssumeRole" } ] }where:
<ecr-registry>-
Specifies the
<role_name>, which should match with the new role that you have created in the earlier steps.
Enter the following command to associate the newly created role with a service account:
$ oc -n stackrox annotate sa central eks.amazonaws.com/role-arn=arn:aws:iam::67890:role/<role_name>Enter the following command to restart the Central pod and apply the changes:
$ oc -n stackrox delete pod -l "app in (central,sensor)"
19.1.2. Configuring OpenShift Container Platform
When running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on OpenShift Container Platform, you can configure short-lived tokens through the Amazon Secure Token Service.
Prerequisites
- You must have a public OpenID Connect (OIDC) configuration bucket with the OpenShift Container Platform service account signer key. To get the OIDC configuration for the OpenShift Container Platform cluster, Red Hat recommends using the instructions at Cloud Credential Operator in manual mode for short-term credentials.
- You must have access to AWS IAM and the permissions to create and change roles.
Procedure
-
Follow the instructions at Creating OpenID Connect (OIDC) identity providers to create web identity of the OpenShift Container Platform cluster. Use
openshiftas the value for Audience. - Create an IAM role for the web identity of the OpenShift Container Platform cluster.
Edit the permission policy of the role and grant the permissions required by the integration. For example:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:ListImages" ], "Resource": "arn:aws:iam::<ecr_registry>:role/<role_name>" } ] }Update the trust relationship for the role that you want to assume:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "<oidc_provider_arn>" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "<oidc_provider_name>:aud": "openshift" } } } ] }Set the following RHACS environment variables on the Central or Sensor deployment:
AWS_ROLE_ARN=<role_arn> AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/openshift/serviceaccount/token
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}