How to setup Azure AD authentication with AWS EKS kubernetes clusters

I recently worked on setting up Azure Active Directory (AAD from now) authentication with kubernetes clusters running on AWS EKS (Amazon Elastic Kubernetes Service). The goal was to let users of the kubernetes cluster authenticate using their AAD identities, and assing permissions using the usernames and also AAD groups. Here is how I did it.

Read more

How to download the latest release from a Github repository

We often want to download the latest release of an application from Github, however it used to be hard without knowing the latest version. But now we can do the followings:

Moving a blog from Wordpress to Github pages

This blog is hosted on Github pages, which I end up liking a lot, so I decided to move my other blog (originally hosted on Wordpress) too. I was already planning to update the domain of that blog, so I took the opportunity to do both at the same time. Here are the steps I did.

Read more

The security of KeyCloak used as an identity proxy

Recently I was involved in a project where KeyCloak was used as an identity proxy: the target app was configured to use KeyCloak as an SSO, but KeyCloak delegated the authentication further to an other IdP. So on login to the target app, the app would redirect the user to KeyCloak, which would further redirect to the IdP’s login page. Upon authenticating there, the IdP redirected back to KeyCloak, which redirected to the target app. This double-redirect flow happened very fast so it was mostly transparent to the user.

My task was to review the security of this setup and I managed to find a few interesting bugs.

Read more

Authentication using kubernetes service account JWTs

Permissions for a Pod in kubernetes are managed via Service Accounts, and these come with a JWT issued by the cluster. If the Pods need to authenticate to an external service, it would be reasonable to use this JWT, so let’s see how to get it and verify it.

Read more