Posted On: Mar 8, 2021
Amazon Elastic Kubernetes Service (Amazon EKS) now supports using OpenID Connect (OIDC) compatible identity providers as a user authentication option to Kubernetes clusters. With OIDC authentication, you can manage user access to EKS clusters by using the standard procedures in your organization for creating, enabling, and disabling employee accounts.
EKS already includes native support for Amazon Web Services IAM users and roles as entities that can authenticate against a cluster, removing the burden from cluster administrators of having to maintain a separate identity provider to manage users. This IAM to Kubernetes integration enables you to securely manage cluster access by leveraging IAM features such as CloudTrail audit logging and multi-factor authentication. However, at some organizations, development teams don’t have administrative access to Amazon Web Services, and creating an IAM user or role for each developer that needs access to a cluster can be a time consuming task.
With EKS support for OIDC identity providers as an additional authentication option, you can manage developer access to your clusters by using the standard procedures in your organization for creating, enabling, and disabling employee accounts. OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It adds a thin layer that sits on top of OAuth 2.0 that adds login and profile information about the identity who is logged in.
You can associate an OIDC compatible identity provider to clusters running Kubernetes version 1.16 and above, using the EKS console, CLI, or eksctl. This feature is available in all regions where EKS is available, including the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more, visit the Amazon EKS documentation.