IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.

Extending ROSA STS to include authentication with AWS Services

Authors: Connor Wooley
Last Editor: Dustin Scott
Published Date: 4 October 2021
Modified Date: 25 May 2023

In this example we will deploy the Amazon Ingress Controller that uses ALBs, and configure it to use STS authentication.

Deployment

Configure STS

  1. Make sure your cluster has the pod identity webhook

    kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io pod-identity-webhook

  2. Download the IAM Policy for the AWS Load Balancer Hooks

    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.2.0/docs/install/iam_policy.json

  3. Create AWS Role with inline policy

    aws iam create-role \
  --role-name AWSLoadBalancerController --query Policy.Arn --output text

  4. Create AWS Policy and Service Account

    POLICY_ARN=$(aws iam create-policy --policy-name "AWSLoadBalancerControllerIAMPolicy" --policy-document file://iam_policy.json --query Policy.Arn --output text)
echo $POLICY_ARN

  5. Create service account

    Note I had issues with the policy, and for now just gave this user admin creds. Need to revisit and figure out.

    SA_ARN=$(aws iam create-user --user-name aws-lb-controller --permissions-boundary=$POLICY_ARN --query User.Arn --output text)

  6. Create access key

    ACCESS_KEY=$(aws iam create-access-key --user-name aws-lb-controller)

  7. Attach policy to user

  8. Paste the AccessKeyId and SecretAccessKey into values.yaml

  9. tag your public subnet with ``

  10. Create a namespace for the controller

    kubectl create ns aws-load-balancer-controller

  1. Apply CRDs

    kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master"

  2. Add the helm repo and install the controller (install helm3 if not already)

    helm repo add eks https://aws.github.io/eks-charts
helm install -n aws-load-balancer-controller \
  aws-load-balancer-controller eks/aws-load-balancer-controller \
  --values=./helm/values.yaml --create-namespace

Deploy Sample Application

oc new-project demo
oc new-app https://github.com/sclorg/django-ex.git
kubectl -n demo patch service django-ex -p '{"spec":{"type":"NodePort"}}'

kubectl apply -f ingress.yaml