esc icon indicating copy to clipboard operation
esc copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Add support for kubernetes OIDC

Open EvanBoyle opened this issue 1 year ago • 5 comments

Kubernetes supports OIDC. It would be great if I could create an environment that could issue short term credentials that enable esc run -- kubectl apply ....

EvanBoyle avatar Oct 17 '23 00:10 EvanBoyle

Just so I fully understand, this would require the Pulumi Cloud can communicate and authenticate with the cluster over the Internet, at least based on current architecture, correct? Do we anticipate that will be a commonly acceptable situation? If yes, great, if not, thoughts on how we can use the same security model we have for Pulumi IaC to have the client (CLI) do the comms/auth heavy lifting?

joeduffy avatar Oct 17 '23 04:10 joeduffy

esc run -- kubectl apply ....

You can already do this via injecting a kubeconfig into the environment, right?

And my understanding of Kubernetes OIDC (which might be inaccurate), was just that it allowed the kubeconfig to not include a static credential but to include information which could be used to allow a user to authenticate using other credentials (like an IAM role). And I believe all of that can also be done already via ESC.

Two questions:

  1. What exactly do we think cannot be done already today by ESC that we want to track adding support for here?
  2. Should we repurpose this to write a guide to using ESC with Kubernetes (using already available support)?

lukehoban avatar Oct 17 '23 04:10 lukehoban

You can already do this via injecting a kubeconfig into the environment, right?

Yes, that's right. Kubernetes OIDC allows you to integrate with an external OIDC provider to manage access to the k8s API, but doesn't have a built-in provider.

  1. What exactly do we think cannot be done already today by ESC that we want to track adding support for here?

It's possible that we'd want to add ESC providers for some common OIDC providers to fetch login creds. I'm not familiar with the specifics, but I think the major managed k8s services offer OIDC providers that might be a good place to start.

  1. Should we repurpose this to write a guide to using ESC with Kubernetes (using already available support)?

We should definitely write a guide for authenticating to a k8s cluster using a kubeconfig. OIDC integration would be a more advanced use case.

lblackstone avatar Oct 17 '23 16:10 lblackstone

Another angle: Kubernetes has support for issuing an OIDC token to a pod (via volume projection), representing the pod's identity for the purposes of authenticating to an external system. This could be used to authenticate a state backend, and could also be used by a Pulumi provider to authenticate to a cloud service. Perhaps ESC could play a role in configuring the program to use such a token. See https://github.com/pulumi/pulumi-cloud-requests/issues/115.

EronWright avatar Oct 19 '23 00:10 EronWright

I think the functionality @EronWright created (not merged yet) to support file projection meets Evan's original use case. Using the kubectl OIDC provider from outside the cluster require some very odd connectivity between pulumi cloud and the kubernetes OIDC provider.

cleverguy25 avatar Oct 24 '23 04:10 cleverguy25