Cloud Experts Documentation

Extending ROSA STS to include authentication with AWS Services

Last edited
Published
Authors
Connor Wooley
Tags: AWS ROSA STS

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

In this example we will deploy the Amazon Ingress Controller that uses ALBs, and configure it to use STS authentication.

Deployment

Configure STS

  1. Make sure your cluster has the pod identity webhook

    kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io pod-identity-webhook

  2. Download the IAM Policy for the AWS Load Balancer Hooks

    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.2.0/docs/install/iam_policy.json

  3. Create AWS Role with inline policy

    aws iam create-role \
  --role-name AWSLoadBalancerController --query Policy.Arn --output text

  4. Create AWS Policy and Service Account

    POLICY_ARN=$(aws iam create-policy --policy-name "AWSLoadBalancerControllerIAMPolicy" --policy-document file://iam_policy.json --query Policy.Arn --output text)
echo $POLICY_ARN

  5. Create service account

    Note I had issues with the policy, and for now just gave this user admin creds. Need to revisit and figure out.

    SA_ARN=$(aws iam create-user --user-name aws-lb-controller --permissions-boundary=$POLICY_ARN --query User.Arn --output text)

  6. Create access key

    ACCESS_KEY=$(aws iam create-access-key --user-name aws-lb-controller)

  7. Attach policy to user

  8. Paste the AccessKeyId and SecretAccessKey into values.yaml

  9. tag your public subnet with ``

  10. Create a namespace for the controller

    kubectl create ns aws-load-balancer-controller

  1. Apply CRDs

    kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master"

  2. Add the helm repo and install the controller (install helm3external link (opens in new tab) if not already)

    helm repo add eks https://aws.github.io/eks-charts
helm install -n aws-load-balancer-controller \
  aws-load-balancer-controller eks/aws-load-balancer-controller \
  --values=./helm/values.yaml --create-namespace

Deploy Sample Application

oc new-project demo
oc new-app https://github.com/sclorg/django-ex.git
kubectl -n demo patch service django-ex -p '{"spec":{"type":"NodePort"}}'

kubectl apply -f ingress.yaml

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2023 Red Hat, Inc.