keycloak

Keycloak

Keycloak OIDC

EKS

Associate Identity Provider

EKS -> Cluster -> <cluster> -> Configuration -> Authentication -> Associate Identity Provider

Name: <name>
Issuer URL: https://<keycloakHost>/realms/<realm>
Client ID: <clientId>
Username claim: <email|prefferd_username>
Groups claim: groups

warning

설정이 반영되는 데 걸리는 시간은 30분 내외입니다.
Username claim을 email로 설정할 경우 Token에서 email_verified: true를 확인합니다.

kubectl

kubectl krew install oidc-login

users:
  - name: <name>
    user:
      exec:
        apiVersion: client.authentication.k8s.io/v1beta1
        command: kubectl
        args:
          - oidc-login
          - get-token
          - --oidc-issuer-url=https://<keycloakHost>/realms/<realm>
          - --oidc-client-id=<clientId>
          - --oidc-client-secret=<clientSecret>

info

인증이 안되면 ClowdWatch에서 EKS의 kube-apiserver의 로그를 확인해 주세요.

Reference

https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html

Keycloak​

EKS​

Associate Identity Provider​

kubectl​

Reference​

Keycloak

EKS

Associate Identity Provider

kubectl

Reference