Oracle Corporation
10/16/2024 | Press release | Distributed by Public on 10/16/2024 13:20
Announcing OpenId Connect in OCI Kubernetes Engine
OpenID Connect (OIDC) is an open standard authentication protocol built on the OAuth 2.0 ramework. It provides a secure and flexible way to authenticate and authorize users within applications and systems.
You might consider OIDC with Oracle Cloud Infrastructure (OCI)Kubernetes Engine (OKE) for the following classes of use cases:
OIDC authentication: Kubernetes users can authenticate to an OKE cluster using a token from an existing OIDC Identity Provider (IdP).
OIDC discovery: You can authorize Kubernetes pods to access non-OCI resources using third-party security token services (STS).
Today, we're happy to announce support for Open ID authentication and discovery in OKE.
OKE OIDC authentication
Users defined in the OCI Identity and Access Management (IAM) service can access OKE clusters. You can also federate users and groups from an external IdP with OCI IAM to grant access to your clusters. However, in some cases, you might prefer to have users from a third-party OIDC IdP directly access your OKE clusters without the need for federation with OCI IAM. OKE's support for OIDC authentication makes this configuration possible.
For example, imagine that you have a Keycloak server where your Kubernetes users are defined. Instead of federating those users with OCI IAM, you can configure OKE to allow them to authenticate directly using an OIDC access token from Keycloak. By updating your OKE cluster to accept Keycloak as a trusted OIDC IdP, users can authenticate to the OKE cluster using their Keycloak access tokens. OKE validates the token against Keycloak before granting access.
As another example, you want to automate deployments to your OKE cluster using GitHub Actions without managing long-lived credentials. By configuring OKE to accept GitHub's native OIDC authentication, your GitHub Actions workflows can access the cluster securely using short-lived, automatically generated tokens. Check out this post that describes the setup to enable a GitHub Actions workflow to access an OKE cluster using OIDC Authentication.
OKE OIDC discovery
OKE already supports Workload Identity to enable Kubernetes pods to access OCI resources, such as a secret or cloud storage bucket without storing access credentials in your Kubernetes cluster.
How do you authorize Kubernetes pods to access non-OCI resources? With OKE OIDC discovery. OKE OIDC discovery enables STS running on-premises or in third-party cloud service providers (CSPs), such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), to validate Kubernetes pods running on OKE clusters and authorize them to access non-OCI resources.
When you enable OIDC discovery for an OKE cluster, OKE provides an OIDC issuer endpoint. This endpoint serves the OIDC discovery document and the JSON web key set (JWKS), which contain the public key necessary for token validation. These resources enable third-party IdP to validate tokens issued for pods in the OKE cluster, allowing those pods to access non-OCI resources.
The workflow moves through the following steps:
You create pods with a projected service account token.
Your application running on the pods requests a non-OCI resource access token to a third-party STS. The application provides the content of the service account token to the request, including the OKE OIDC issuer URL.
The STS is configured to connect to the OKE OIDC issuer URL using the common conventional location of /.well-known/openid-configuration, and it obtains the public JWKS key.
The STS validates the authenticity of the pod's token using the public JWKS key.
The STS returns an access token to the application running on the pods.
OKE OIDC Discovery workflow