Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use OIDC Provider for Authenticating Kubernetes API Calls

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Amazon EKS clusters are configured to use an OpenID Connect (OIDC) provider for authenticating Kubernetes API calls.

Security
Operational
excellence

Utilizing an OIDC provider to authenticate Kubernetes API calls within Amazon EKS clusters boosts security measures, streamlines integration with external identity providers, empowers precise access control, streamlines user management processes, and aids in meeting compliance standards.

Audit

To determine if your Amazon EKS clusters are using an OIDC provider, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console available at https://console.aws.amazon.com/eks/.

03 In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to examine.

05 Select the Overview tab and note the OIDC provider URL, listed under OpenID Connect provider URL.

06 Navigate to Identity and Access Management (IAM) console at https://console.aws.amazon.com/iamv2/.

07 In the main navigation panel, under Access management, choose Identity providers.

08 In the Identity providers section, search for the OIDC provider URL configured for the EKS cluster, identified at step no. 5. If the provider URL configured for your cluster is not listed in the Identity providers section, there is no OIDC provider created for your cluster, therefore the selected Amazon EKS cluster is not using an OIDC provider for authenticating Kubernetes API calls.

09 Repeat steps no. 4 - 8 for each Amazon EKS cluster available within the current AWS region.

10 Change the AWS cloud region from the top navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EKS cluster available in the selected AWS region: 

aws eks list-clusters
  --region us-east-1
  --output table
  --query 'clusters'

02 The command output should return a table with the requested EKS cluster names: 

---------------------------
|      ListClusters       |
+-------------------------+
| cc-eks-webapp-cluster   |
| cc-eks-project5-cluster |
+-------------------------+

03 Run describe-cluster command (OSX/Linux/UNIX) with custom output filtering to describe the OIDC provider URL configured for the selected Amazon EKS cluster: 

aws eks describe-cluster 
  --region us-east-1 
  --cluster-name cc-eks-webapp-cluster 
  --query 'cluster.identity.oidc.issuer'

04 The command output should return the requested identity provider (IdP) URL: 

"https://oidc.eks.us-east-1.amazonaws.com/id/ABCDABCDABCDABCD1234123412341234"

05 Run list-open-id-connect-providers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Name (ARN) of each OIDC provider resource object created with Amazon IAM: 

aws iam list-open-id-connect-providers 
  --output text 
  --query 'OpenIDConnectProviderList'

06 The command output should return the ARN of each OIDC provider resource available. The resource ARN includes the OIDC provider (e.g. oidc.eks.us-east-1.amazonaws.com/id/ABCD1234ABCD1234ABCD1234ABCD1234): 

arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/ABCD1234ABCD1234ABCD1234ABCD1234
arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/1234123412341234ABCDABCDABCDABCD

If the provider URL configured for your cluster, listed at step no. 4, is not a part of a resource ARN returned by the list-open-id-connect-providers command output at step no. 6, there is no OIDC provider created for your cluster, thus the selected Amazon EKS cluster is not using an OIDC provider for authenticating Kubernetes API calls.

07 Repeat steps no. 3 - 6 for each Amazon EKS cluster available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To ensure that your Amazon EKS clusters are using an OpenID Connect (OIDC) provider, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console available at https://console.aws.amazon.com/eks/.

03 In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to configure.

05 Select the Overview tab and copy the OIDC provider URL, listed under OpenID Connect provider URL.

06 Navigate to Identity and Access Management (IAM) console at https://console.aws.amazon.com/iamv2/.

07 In the main navigation panel, under Access management, choose Identity providers.

08 In the Identity providers section, choose Add provider.

09 For Provider type, choose OpenID Connect.

10 Paste the OIDC provider URL copied at step no. 5 into the Provider URL box and choose Get thumbprint.

11 For Audience, enter sts.amazonaws.com, then choose Add provider to create an OpenID Connect (OIDC) provider resource for your Amazon EKS cluster.

12 Repeat steps no. 4 – 11 for each Amazon EKS cluster provisioned within the current AWS region.

13 Change the AWS cloud region from the top navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Define the configuration object required to create a new OIDC provider resource for your EKS cluster and save the object to a JSON file named cc-create-oidc-provider.json. For "Url" use the OIDC provider URL configured for your cluster. For "ThumbprintList", use an OIDC thumbprint obtained by following the instructions available on this page: 

{
	"Url": "https://oidc.eks.us-east-1.amazonaws.com/id/ABCDABCDABCDABCD1234123412341234",
	"ClientIDList": [
		"eks-cluster-client"
	],
	"ThumbprintList": [
		"abcd1234abcd1234abcd1234abcd1234abcd1234"
	]
}

02 Run create-open-id-connect-provider command (OSX/Linux/UNIX) to create an OpenID Connect (OIDC) provider resource for your Amazon EKS cluster, using the configuration file defined at the previous step (i.e. cc-create-oidc-provider.json): 

aws iam create-open-id-connect-provider 
  --cli-input-json file://cc-create-oidc-provider.json

03 The command output should return the ARN of the new OIDC provider resource: 

{
	"OpenIDConnectProviderArn": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/ABCDABCDABCDABCD1234123412341234"
}

04 Repeat steps no. 1 - 3 for each Amazon EKS cluster provisioned in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Jul 12, 2023

Related EKS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Use OIDC Provider for Authenticating Kubernetes API Calls

Risk Level: High