K
Q

is it possible to enable client certificate authentication in EKS?

12/23/2019

Searching through the Internet, I have seen that EKS only enables IAM authentication for IAM users.
Is it possible to configure client certificate authentication manually? I mean, create Kubernetes users and roles internally and not use IAM authentication.

-- Juanjo
amazon-iam
authentication
eks
kubernetes

Similar Questions

not able to telnet or curl <node-ip>:<node-port> kubernetes
Is there any way to schedule spark jobs through oozie on kubernetes cluster on AWS? how to get YARN installation for oozie
Differences between Sidecar and Ambassador and Adapter pattern
Validate a CRD having corev1.PodSpec type object in client go

1 Answer

1/3/2020

Kubernetes supports several authentication modules, for example:

  • X509 client certificates

  • Service account tokens

  • OpenID Connect tokens

  • Webhook token authentication

  • Authenticating proxy, etc.

You can find more details regarding them in the official documentation.

However, Amazon EKS uses only one specific authentication method, an implementation of a webhook token authentication to authenticate Kube API requests. This webhook service is implemented by an open source tool called AWS IAM Authenticator, which has both client and server sides.

In short, the client sends a token (which includes the AWS IAM identity—user or role—making the API call) which is verified on the server-side by the webhook service.

So the answer to your question is: if you choose to use EKS you only have one authentication option which is IAM.

I hope it helps.

-- OhHiMark
Source: StackOverflow