IK.AM

Dev > CaaS > Kubernetes > MicroK8s

Using Cognito for OIDC Integration with MicroK8s

Feb 10, 2025
Feb 10, 2025
N/A Views
MD
KubernetesMicroK8sOIDCCognito

Warning

This article was automatically translated by OpenAI (gpt-4o-mini).It may be edited eventually, but please be aware that it may contain incorrect information at this time.

Using Cognito for OIDC integration with MicroK8s.

Refer to here for the installation of MicroK8s.

Assuming that the Cognito User Pool has already been created, create a client.

Click on "Create app client".

image

Set "Application Type" to "Traditional web application" and enter microk8s in "Name your application". Set http://localhost:8000 (the callback URL for kubelogin) in "Return URL" and click the "Create app client" button.
(The screenshot shows http://localhost:18000, but it should be http://localhost:8000.)
image

Although not mandatory, it is safer to add http://localhost:18000 as a fallback port in case the local 8000 port is already in use.

image

Copy the "Client ID" and "Client secret" from the "App client information" panel.

image

Copy the path up to /.well-known/jwks.json from the "Token signing key URL" in the User Pool's "Overview" panel.

image

Log in to the server where the MicroK8s Controlplane is installed and modify /var/snap/microk8s/current/args/kube-apiserver.

Adjust the variables according to your environment and execute the following command.

OIDC_ISSUER_URL=https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_tv3NHZAKO
OIDC_CLIENT_ID=3ftgo86lgdb2mb0fr0jho761q9
OIDC_USERNAME_CLAIM=email
OIDC_GROUPS_CLAIM=cognito:groups

cat <<EOF | sudo tee -a /var/snap/microk8s/current/args/kube-apiserver
--oidc-issuer-url=${OIDC_ISSUER_URL}
--oidc-client-id=${OIDC_CLIENT_ID}
--oidc-username-claim=${OIDC_USERNAME_CLAIM}
--oidc-username-prefix=oidc:
--oidc-groups-claim=${OIDC_GROUPS_CLAIM}
--oidc-groups-prefix=oidc:
EOF

Restart MicroK8s.

sudo snap restart microk8s

Assume that the group for the admin users belonging to the Cognito users is platform-engineer. Execute the following command to assign the cluster-admin ClusterRole to this group.

kubectl create clusterrolebinding cluster-admin-platform-engineer --clusterrole=cluster-admin --group=oidc:platform-engineer

Install kubelogin from https://github.com/int128/kubelogin#getting-started and add the cognito user to the current kubectl context with the following command.

OIDC_ISSUER_URL=https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_tv3NHZAKO
OIDC_CLIENT_ID=3ftgo86lgdb2mb0fr0jho761q9
OIDC_CLIENT_SECRET=********

kubectl config set-credentials cognito \
  --exec-api-version=client.authentication.k8s.io/v1beta1 \
  --exec-command=kubectl \
  --exec-arg=oidc-login \
  --exec-arg=get-token \
  --exec-arg=--oidc-issuer-url=${OIDC_ISSUER_URL} \
  --exec-arg=--oidc-client-id=${OIDC_CLIENT_ID} \
  --exec-arg=--oidc-client-secret=${OIDC_CLIENT_SECRET}
 
kubectl config set-context --current --user=cognito

Execute the following command.

kubectl auth whoami

The Cognito login screen will appear, so log in.

image

Upon successful login,

image

the Username and Groups will be mapped as follows.

$ kubectl auth whoami
ATTRIBUTE   VALUE
Username    oidc:makingx@gmail.com
Groups      [oidc:platform-engineer system:authenticated]
Found a mistake? Update the entry.
Share this article: