Closed fbuchmeier-abi closed 1 year ago
Short update: I think I found the answer to me question after writing it down, classical rubber :duck: ing. EKS automatically uses this usernamePrefix when the username differs from the email address, see the AWS API docs: https://docs.aws.amazon.com/eks/latest/APIReference/API_OidcIdentityProviderConfigRequest.html
usernamePrefix The prefix that is prepended to username claims to prevent clashes with existing names. If you do not provide this field, and username is a value other than email, the prefix defaults to issuerurl#. You can use the value - to disable all prefixing.
I've disabled the usernamePrefix by setting it to -
and the result is as expected. The configuration now looks like this for EKS:
ClientID: kubernetes
GroupsClaim: groups
GroupsPrefix: null
IssuerURL: https://ou.some.cluster/auth/idp/k8sIdp
Name: openunison
RequiredClaims: null
Status: ACTIVE
Tags: {}
Type: oidc
UsernameClaim: sub
UsernamePrefix: -
with enable_impersonation: false
set in the Helm Release.
EKS automatically uses this usernamePrefix when the username differs from the email address, see the AWS API docs:
This is how Kubernetes works generally, not just EKS. When OIDC was first built into Kubernetes it was assumed that your API server would support multiple identity providers so they wanted a way to differentiate identity sources. The developers assumed an email address would do that via the domain.
Dear community,
Setting the stage:
I am currently trying to integrate Amazon EKS with two different OIDC providers (Keycloak & Auth0). In my environment, we have multiple clusters and multiple users that want to access those clusters. At the moment we have EKS integrated directly with both providers (on different clusters) and are using Heptio Gangway to generate the kubectl configuration for us.
I have successfully set up OpenUnison (operator + orchestra + login portal) and authentication in the WebApp as well as via
kubectl
is working.However, I know want to grant permissions to specific users as I did before using the direct connection (to Keycloak/Auth0).
When running
kubectl whoami --all
(from a krew plugin) I can see that the user I am authenticated with has changed from:to:
Since I already have my RBAC in place, managed by the rbac-manager and I have multiple differernt clusters (e.g. ou.some.other.cluster) I want to keep my current setup and authorize based on the actual username (here: fbuchmeier@example.com) instead of the composite of issuer (here: https://ou.some.cluster/auth/idp/k8sIdp) and the user.
I already looked at the documentation at OpenUnison - Deploy Auth as well as the default values but did not find an option to configure this.
Do you know if this is currently possible and if not, which component in OpenUnison is responsible for generating this complex username, so that I could add the configuration and create a corresponding PullRequest?
Thank you in advance, Florian.