Kubernetes

There are two ways to integrate your preferred Kubernetes application with Entitle.

Service Account Authentication
In Cluster Authentication - requires an instance of Entitle's agent in the Kubernetes cluster you wish to integrate Entitle with.

Service account authentication

This is the generic way to authenticate K8S.

Prerequisites

👉 Note - the following steps are related to EKS only. If you wish to integrate a different Kubernetes type with Entitle - please continue to the next step - Create a Service Account for Entitle.

EKS Prerequisites

Restrict IAM role session name

Make sure when users assume roles in your organization their session names are their emails. For more information, please visit Amazon's blog.
There should be a policy that looks as shown below (the Condition segment is the most important segment in the policy):

{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<AccountNumber>:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringLike": {
              "sts:RoleSessionName": "${aws:username}"
            }
          }
        }
      ]
    }

Edit aws-auth file

Entitle needs to configure the aws-auth file (Amazon's add user role user guide).
To make the configmap editable, please run the following commands:

aws eks update-kubeconfig --name <ENTER_CLUSTER_NAME> --region <ENTER_CLUSTER_REGION>
kubectl -n kube-system edit configmap aws-auth

In general, the configmap is in the format below:

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapAccounts: |
    []
  mapRoles: |
		[]
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2022-08-22T14:37:33Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "71240450"
  uid: 5ca5278b-a553-4617-8e65-d858c400dd72

Add the following to the mapRoles section:

    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::<ENTER_USER_ACCOUNT_ID>:role/<ENTER_ROLE_NAME_YOUR_USERS_ASSUME>/{{SessionName}}
      username: <ENTER_HERE_PREFIX>:{{SessionName}}

Eventually, the configmap should look as follows:

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapAccounts: |
    []
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::<ENTER_USER_ACCOUNT_ID>:role/<ENTER_ROLE_NAME_YOUR_USERS_ASSUME>/{{SessionName}}
      username: <ENTER_HERE_PREFIX>:{{SessionName}}
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2022-08-22T14:37:33Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "71240450"
  uid: 5ca5278b-a553-4617-8e65-d858c400dd72

These actions will connect every user assuming the role to a K8S user called: <ENTER_HERE_PREFIX>:{{SessionName}}.

Create a service account for Entitle

Entitle needs a service account in the targeted cluster to manage the permissions. Below are the steps required to set up the service account.
create the following files:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: entitle
  namespace: default

apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: entitle-secret
  annotations:
    kubernetes.io/service-account.name: "entitle"

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: entitle-cluster-admin
subjects:
  - kind: ServiceAccount
    name: entitle
    namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin

Now, run the following commands:

kubectl apply -f entitle-service-account.yaml
kubectl apply -f entitle-service-secret.yaml
kubectl apply -f entitle-cluster-admin.yaml

Set up Kubernetes to work with Entitle

Host

The host could be found at the API server endpoint under the cluster’s Overview tab.

Service account details

Run the following command to get the ca_cert and token of the service account you created above:
Assume the ca_cert is:

CA_CERT=$(kubectl get secret entitle-secret -o jsonpath='{.data.ca\.crt}' | base64 -d | sed -r 's/ /\n/g')
TOKEN=$(kubectl get secret entitle-secret -o jsonpath={.data.token} | base64 -d)

Make sure the ca_cert is a legal JSON string, for example:

-----BEGIN CERTIFICATE-----
MIIDfTCCAmWgAwIBAgIgeLS4K1Fyx2TnQ4vTC8Ly6iFFLhlQE9WzIAj/ETakA1Yw
DQYJKoZIhvcNAQEFBQAwUjEJMAcGA1UEBhMAMQkwBwYDVQQKDAAxCTAHBgNVBAsM
-----END CERTIFICATE-----

You are requested to replace the new lines with \n, as follows:

"-----BEGIN CERTIFICATE-----\nMIIDfTCCAmWgAwIBAgIgeLS4K1Fyx2TnQ4vTC8Ly6iFFLhlQE9WzIAj/ETakA1Yw\nDQYJKoZIhvcNAQEFBQAwUjEJMAcGA1UEBhMAMQkwBwYDVQQKDAAxCTAHBgNVBAsM\n-----END CERTIFICATE-----\n"

👉 Note - the following steps are related to EKS only. If you wish to integrate a different Kubernetes type with Entitle - please continue to the next step - Resource Types.

EKS-related Configuration

User prefix

Same as the user prefix from the Edit aws-auth file stage.

Resource types (optional)

The default roles Entitle will fetch in the integrations are roles and cluster roles.
In case you wish to manage more resource types with Entitle, you can select those out of the list below:

Resource Types

"bindings"
"clusterrolebindings"
"clusterroles"
"componentstatuses"
"configmaps"
"controllerrevisions"
"cronjobs"
"cronjobs/status"
"daemonsets"
"daemonsets/status"
"deployments"
"deployments/scale"
"deployments/status"
"endpoints"
"events"
"jobs"
"jobs/status"
"limitranges"
"namespaces"
"namespaces/finalize"
"namespaces/status"
"nodes"
"nodes/proxy"
"nodes/status"
"persistentvolumeclaims"
"persistentvolumeclaims/status"
"persistentvolumes"
"persistentvolumes/status"
"pods"
"pods/attach"
"pods/binding"
"pods/ephemeralcontainers"
"pods/eviction"
"pods/exec"
"pods/log"
"pods/portforward"
"pods/proxy"
"pods/status"
"podtemplates"
"replicasets"
"replicasets/scale"
"replicasets/status"
"replicationcontrollers"
"replicationcontrollers/scale"
"replicationcontrollers/status"
"resourcequotas"
"resourcequotas/status"
"rolebindings"
"roles"
"secrets"
"serviceaccounts"
"serviceaccounts/token"
"services"
"services/proxy"
"services/status"
"statefulsets"
"statefulsets/scale"
"statefulsets/status"

Setting up the integration in Entitle

To integrate your Kubernetes integration with Entitle, there are a few fields that should be filled in:

{
    "host": "<YOUR_HOST>",
    "token": "<SERVICE_ACCOUNT_TOKEN>",
    "ssl_ca_cert_content": "<SSL_CA_CERT_CONTENT>",
    "user_prefix": "<USER_PREFIX>",
    "options": {
        "resource_types": ["<RESOURCE_TYPES_LIST>"]
    }
}

In cluster authentication

This method of authentication is using the pod-based identity of Entitle-Agent’s Pod.

When you installed Entitle you had to create a K8S service account for Entitle-Agent, Entitle will use it to manage the EKS which it resides at.

Derived from it: if there are X clusters you wish to manage - you will need an Entitle-Agent pod for each of them, and each one of them will manage its cluster.

👉 Note - the prerequisites below are only related to EKS. If you wish to integrate a different Kubernetes type with Entitle - please continue to the next step - Setup Kubernetes to Work with Entitle.