$ eksctl utils associate-iam-oidc-provider --cluster <cluster_name> --approve
×
Integrating RHACS using short-lived tokens
With Red Hat Advanced Cluster Security for Kubernetes (RHACS) you can authenticate against selected cloud provider APIs using short-lived tokens. RHACS supports the following cloud provider integrations:
-
Amazon Web Services (AWS) using the Secure Token Service (STS)
-
Google Cloud Platform (GCP) using workload identity federation
RHACS supports short-lived token integrations only when you install RHACS on the following platforms:
-
Elastic Kubernetes Service (EKS) on AWS
-
Google Kubernetes Engine (GKE) on GCP
-
OpenShift Container Platform
To activate short-lived authentication, you must establish trust between your Kubernetes or OpenShift Container Platform cluster and your cloud provider. For EKS and GKE clusters, use the cloud provider metadata service. For OpenShift Container Platform clusters, you need a publicly available OpenID Connect (OIDC) provider bucket containing the OpenShift Container Platform service account signer key.
|
You must establish trust with your cloud provider for every Central cluster that uses the short-lived token integration. However, if you use delegated scanning in combination with short-lived token image integrations, you must also establish trust for the Sensor cluster. |
Configuring AWS Secure Token Service
RHACS integrations can authenticate against Amazon Web Services using
the Secure Token Service. You must configure AssumeRole with RHACS before enabling the Use container IAM role option in integrations.
|
Verify that the AWS role associated with the RHACS pod must have the IAM permissions required by the integration. For example, to set up a container role for integrating with the Elastic Container Registry, enable full read access to the registry. For more information about AWS IAM roles, see IAM roles. |
Configuring Elastic Kubernetes Service (EKS)
When running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on EKS, you can configure short-lived tokens through the Amazon Secure Token Service.
Procedure
-
Run the following command to enable the IAM OpenID Connect (OIDC) provider for your EKS cluster:
-
Create an IAM role for your EKS cluster.
-
Edit the permission policy of the role and grant the permissions required by the integration. For example:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:ListImages" ], "Resource": "arn:aws:iam::<ecr_registry>:role/<role_name>" } ] } -
Update the trust relationship for the role that you want to assume:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<ecr-registry>:role/<role_name>" (1) ] }, "Action": "sts:AssumeRole" } ] }1 The <role_name>should match with the new role that you have created in earlier steps. -
Enter the following command to associate the newly created role with a service account:
$ oc -n stackrox annotate sa central eks.amazonaws.com/role-arn=arn:aws:iam::67890:role/<role_name> (1)1 If you use Kubernetes, enter kubectlinstead ofoc. -
Enter the following command to restart the Central pod and apply the changes:
$ oc -n stackrox delete pod -l "app in (central,sensor)" (1)1 If you use Kubernetes, enter kubectlinstead ofoc.
Configuring OpenShift Container Platform
When running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on OpenShift Container Platform, you can configure short-lived tokens through the Amazon Secure Token Service.
Prerequisites
-
You must have a public OpenID Connect (OIDC) configuration bucket with the OpenShift Container Platform service account signer key. To get the OIDC configuration for the OpenShift Container Platform cluster, Red Hat recommends using the instructions at Cloud Credential Operator in manual mode for short-term credentials.
-
You must have access to AWS IAM and the permissions to create and change roles.
Procedure
-
Follow the instructions at Creating OpenID Connect (OIDC) identity providers to create web identity of the OpenShift Container Platform cluster. Use
openshiftas the value for Audience. -
Create an IAM role for the web identity of the OpenShift Container Platform cluster.
-
Edit the permission policy of the role and grant the permissions required by the integration. For example:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:ListImages" ], "Resource": "arn:aws:iam::<ecr_registry>:role/<role_name>" } ] } -
Update the trust relationship for the role that you want to assume:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "<oidc_provider_arn>" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "<oidc_provider_name>:aud": "openshift" } } } ] } -
Set the following RHACS environment variables on the Central or Sensor deployment:
AWS_ROLE_ARN=<role_arn> AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/openshift/serviceaccount/token
Configuring Google workload identity federation
RHACS integrations can authenticate against the Google Cloud Platform by using workload identities. Select the Use workload identity option upon creation to enable workload identity authentication in a Google Cloud integration.
|
The Google service account associated with the RHACS pod through the workload identity must have the IAM permissions required by the integration. For example, to set up a workload identity for integrating with Google Artifact Registry, connect a service account with the roles/artifactregistry.reader role. For more information about Google IAM roles see Configure roles and permissions. |
Configuring Google Kubernetes Engine (GKE)
When running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on GKE, you can configure short-lived tokens through Google workload identities.
Prerequisites
-
You must have access to the Google Cloud project containing the cluster and integration resources.
Procedure
-
Follow the instructions in the Google Cloud Platform documentation to Use workload identity federation for GKE.
-
Annotate the RHACS service account by running the following command:
$ oc annotate serviceaccount \ (1) central \ (2) --namespace stackrox \ iam.gke.io/gcp-service-account=<GSA_NAME>@<GSA_PROJECT>.iam.gserviceaccount.com1 If you use Kubernetes, enter kubectlinstead ofoc.2 When setting up delegated scanning, use sensor instead of central.
Configuring OpenShift Container Platform
You can configure short-lived tokens through Google workload identities when running Red Hat Advanced Cluster Security for Kubernetes (RHACS) on OpenShift Container Platform.
Prerequisites
-
You must have a public OIDC configuration bucket with the OpenShift Container Platform service account signer key. The recommended way to obtain the OIDC configuration for the OpenShift Container Platform cluster is to use the Cloud Credential Operator in manual mode for short-term credentials instructions.
-
Access to a Google Cloud project with the roles/iam.workloadIdentityPoolAdmin role.
Procedure
-
Follow the instructions at Manage workload identity pools to create a workload identity pool. For example:
$ gcloud iam workload-identity-pools create rhacs-pool \ --location="global" \ --display-name="RHACS workload pool" -
Follow the instructions at Manage workload identity pool providers to create a workload identity pool provider. For example:
$ gcloud iam workload-identity-pools providers create-oidc rhacs-provider \ --location="global" \ --workload-identity-pool="rhacs-pool" \ --display-name="RHACS provider" \ --attribute-mapping="google.subject=assertion.sub" \ --issuer-uri="https://<oidc_configuration_url>" \ --allowed-audiences=openshift -
Connect a Google service account to the workload identity pool. For example:
$ gcloud iam service-accounts add-iam-policy-binding <GSA_NAME>@<GSA_PROJECT>.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member="principal://iam.googleapis.com/projects/<GSA_PROJECT_NUMBER>/locations/global/workloadIdentityPools/rhacs-provider/subject/system:serviceaccount:stackrox:central" (1)1 For delegated scanning, set the subject to system:serviceaccount:stackrox:sensor. -
Create a service account JSON containing the Security token service (STS) configuration. For example:
{ "type": "external_account", "audience": "//iam.googleapis.com/projects/<GSA_PROJECT_ID>/locations/global/workloadIdentityPools/rhacs-pool/providers/rhacs-provider", "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", "token_url": "https://sts.googleapis.com/v1/token", "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<GSA_NAME>@<GSA_PROJECT>.iam.gserviceaccount.com:generateAccessToken", "credential_source": { "file": "/var/run/secrets/openshift/serviceaccount/token", "format": { "type": "text" } } } -
Use the service account JSON as a secret to the RHACS namespace:
apiVersion: v1 kind: Secret metadata: name: gcp-cloud-credentials namespace: stackrox data: credentials: <base64_encoded_json>