Help Center> Cloud Container Engine> Best Practices> Security> Workload Identities
Updated on 2022-12-01 GMT+08:00
View PDF

Workload Identities

With workload identities, your workloads in a cluster can access cloud services like IAM users without using the AK/SK, reducing security risks.

This section describes how to use workload identities in CCE.

Notes and Constraints

Your clusters must be version 1.19.16 or later.

Procedure

  1. Obtain the JSON Web Key Set (JWKS) of the cluster (the signature public key of the service account token) from CCE.
  2. Create an identity provider on the IAM console.
  3. Deploy the application and bind it with the identity provider.
    1. Use the OIDC token to access IAM and obtain the IAM token (implemented by you).
    2. Use the IAM token to access cloud services (implemented by you).

Obtaining JWKS of a CCE Cluster

  1. Use kubectl to connect to the cluster.
  2. Run the following command to obtain the public key:

    kubectl get --raw /openid/v1/jwks

    # kubectl get --raw /openid/v1/jwks
{"keys":[{"use":"sig","kty":"RSA","kid":"XWHyMGivzlc3plctTTG7qupYrjZ6YI8rSudsBr0cRIM","alg":"RS256","n":"8uOBhh4yjDWVnGFxPeuc3NzNIWUbH-WhrzZliIyh88EKRzLbvEAlFRq5sXviNz1IUSAN5mFJZZwMD6pbho1beyGeYXG0Quq4ZYmwSeu7ATEpSuc2ksQmHq7xRzEewKetupA-2oBJaz4LShHpS6bHOnQL5m_OBzd8Eh7t7cEzPX-lD_dD16qqoRO3iPElSlhq0rm2gSe6mirvibQ7NSUjmSJt4LxLVF-lqXgbcfH1JzCoV7Xi1PRc8viCGYPs05o_Bqqm2-XXKqAtwmbMg_Z5NCESmKeJyuRqiFYrw2aCHpQaeVeUnOBabfA1d4crWVG0r_00Fat5yDnQmy5GFUGuSQ","e":"AQAB"}]}

    The returned field is the public key of the cluster.

Configuring an Identity Provider

  1. Log in to the IAM console, create an identity provider, and select OpenID Connect for Protocol.

  2. Click OK. After the creation, modify the identity provider information.

    Access Type: Select Programmatic access.

    Configuration Information

    • Identity Provider URL: Enter https://kubernetes.default.svc.cluster.local.
    • Client ID: Enter an ID, which will be used when you create a container.
    • Signing Key: Enter the JWKS of the CCE cluster obtained in Obtaining JWKS of a CCE Cluster.

    Identity Conversion Rules

    An identity conversion rule maps the ServiceAccount of a workload to an IAM user group.

    For example, create a ServiceAccount named oidc-token in namespace default of the cluster and map it to user group demo. If you use the identity provider ID to access cloud services, you have the permissions of the demo user group. The attribute must be sub. The value format is system:serviceaccount:Namespace:ServiceAccountName.

    Rules are in the JSON format as follows:

    [
    {
        "local": [
            {
                "user": {
                    "name": "test"
                }
            },
            {
                "group": {
                    "name": "demo"
                }
            }
        ],
        "remote": [
            {
                "type": "sub",
                "any_one_of": [
                    "system:serviceaccount:default:oidc-token"
                ]
            }
        ]
    }
]

  3. Click OK.

Using an Workload Identity

Create a ServiceAccount, whose name must be the value of ServiceAccountName set in Configuring an Identity Provider.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: oidc-token

Example configuration for the workload:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
      version: v1
  template:
    metadata:
      labels:
        app: nginx
        version: v1
    spec:
      containers:
      - name: container-1
        image: nginx:latest
        volumeMounts:
        - mountPath: "/var/run/secrets/tokens"     # Mount the serviceAccountToken generated by Kubernetes to the /var/run/secrets/tokens/oidc-token file.
          name: oidc-token
      imagePullSecrets:
      - name: default-secret
      serviceAccountName: oidc-token      # Name of the created ServiceAccount
      volumes:
      - name: oidc-token
        projected:
          defaultMode: 420
          sources:
          - serviceAccountToken:
              audience: workload_identity   # Must be the client ID of the identity provider.
              expirationSeconds: 7200       # Expiry period
              path: oidc-token              # Path name, which can be customized.

After the creation, log in to the container. The content of the /var/run/secrets/tokens/oidc-token file is the serviceAccountToken generated by Kubernetes. You can obtain the IAM token by calling the API for obtaining a token with an OpenID Connect ID token, and then access cloud services.

If the serviceAccountToken is used for over 24 hours or 80% of the expiry period, kubelet automatically rotates the serviceAccountToken.

Example:

curl -k https://{{iam endpoint}}/v3.0/OS-AUTH/id-token/tokens -d "${token_body}" -XPOST -H "X-Idp-Id:workload_identity" -H "Content-Type: application/json" -i -s

Where,

  • {{iam endpoint}} indicates the endpoint of IAM. For details, see Regions and Endpoints.
  • workload_identity is the identity provider name, which is the same as that configured in Configuring an Identity Provider.
  • ${token_body} is defined as follows:
     { 
   "auth" : { 
     "id_token" : { 
       "id" : "eyJhbGciOiJSU..."   // The value is the content of the /var/run/secrets/tokens/oidc-token file.
     }, 
     "scope" : { 
       "project" : { 
         "id" : "46419baef4324...",   // Project ID
         "name" : "cn-north-4" // Project name
       } 
     } 
   } 
 }

The X-Subject-Token field in the response header is the IAM token.

Parent topic: Security