Multi-Factor Authentication Support for OCI Container Engine for Kubernetes (OKE)

September 7, 2021 | 5 minute read
Mickey Boxell
Product Management
Text Size 100%:

Oracle Cloud Infrastructure (OCI) Container Engine for Kubernetes (OKE) supports multi-factor authentication (MFA). Multi-factor authentication uses more than one factor to verify your identity. This approach provides you with an option to enhance the security of authenticating to the Kubernetes API using the already-strong OCI CLI sign-in process by requiring an extra layer of verification of your identity.

When you sign into OCI after enabling MFA in the OCI Identity and Access Management (IAM) service, you will be prompted for a username and password. This is the first factor. You are then prompted for the second factor: a second verification code from a registered MFA device that can generate a time-based one-time password (TOTP). 

The same applies to users running a command using the Kubernetes command line tool, kubectl. After creating an IAM policy requiring MFA authentication to access an OKE cluster, to run kubectl commands users with MFA enabled must update their kubeconfig file and authenticate their session using a username and password and a second factor. Users who do not do so will find their kubectl commands failing. This extra step enables security-conscious customers with requirements around support for multi-factor authentication for their Kubernetes clusters.

OKE and kubeconfig

You can generate a kubeconfig file directly from the OCI CLI with the command, oci ce cluster create-kubeconfig. The default kubeconfig file created through the OCI CLI includes a command to dynamically generate an authentication token and insert it when you run a kubectl command. The authentication tokens generated by the CLI command in the kubeconfig file are short-lived, cluster-scoped, and specific to individual users. As a result, these files cannot be shared between users to access Kubernetes clusters.

Sometimes the automatically generated authentication tokens are unsuitable. For example, if you want other processes and tools to access the cluster, such as a continuous integration and delivery (CI/CD) pipeline. In this case, you can create a Kubernetes service account and add its associated authentication token to the kubeconfig file. For more information, see Adding a service account authentication token to a kubeconfig file. This approach is less secure than using authentication tokens generated by the OCI CLI, but may be appropriate for your use case.

Enabling MFA strengthens the already strong approach to authentication provided by the default kubeconfig file created through the OCI CLI. Security conscious organizations can define an IAM policy to restrict OKE cluster access to only users that have been verified with multi-factor authentication (MFA). If such a policy exists, you must enable MFA verification for your IAM user and add --profile and --auth arguments to your kubeconfig file to access the cluster using kubectl.

Kubernetes MFA Example

To demonstrate the usage of multi-factor authentication in an OKE environment, I began by creating a user called MFA-User. I logged into the OCI Console and navigated to the User Details page, where I enabled multi-factor authentication. Next, I installed Oracle Mobile Authenticator on my phone and used my phone to scan the QR code from the Console to get the verification code needed configure the new user’s account.

A screenshot of the MFA-User details page.

Next, I created a group for MFA users called MFA-Users and added the MFA-User to the group. After adding the user to the group, I created a policy for the group. MFA policies require the clause where the request, user.mfaTotpVerified='true' to restrict access granted through a policy to only MFA-verified users. In this example, I created a permissive policy that applied to all resources in my tenancy: ALLOW GROUP MFA-Users to manage all-resources in the tenancy, where request.user.mfaTotpVerified='true'. This restricted access to resources in my tenancy to only MFA-verified users. I named the policy MFA-Admin and applied the policy to all users in the group.

A screenshot of the Create Policy page with details filled in.

Next I used the Access Cluster button on the Cluster Details page to set up the kubeconfig file for an existing cluster my MFA-User had access to.

A screenshot of the Access Your Cluster window with Local Access selected.

After downloading my kubeconfig file, I added --profile and --auth arguments to enable my MFA-verified user to access the cluster using kubectl. The <profile-name> is the name of the MFA-verified user’s profile defined when I authenticated my OCI CLI session with MFA.

    - --profile
    - <profile-name>
    - --auth
    - security_token

With my setup finished, I tested out my cluster access using kubectl without authenticating my OCI CLI session with MFA.

$ kubectl get pods
error: You must be logged in to the server (Unauthorized)

Next, I authenticated my session using the command, $ oci session authenticate --region iad. IAD or Ashburn is the region of my Kubernetes cluster. This command opened a browser where I logged into OCI and provided the password from my Oracle Mobile Authenticator app.

A screenshot of the Multi-Factor Authentication page in the Console.

Entering the correct time-based one-time password resulted in an output of “Authorization completed!” In the command line, I received the response “Completed browser authentication process!” and was prompted to enter the name of the profile to create. I entered the same <profile-name> that I used when updating my kubeconfig file. Then I ran the command again:

$ kubectl get pods
NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-66b6c48dd5-2jc6b   1/1     Running   0          20d
nginx-deployment-66b6c48dd5-c5fjz   1/1     Running   0          20d
nginx-deployment-66b6c48dd5-j2pns   1/1     Running   0          20d


Next steps

After reading this blog, I hope that you test out MFA for yourself and consider how you can use it to improve your organization’s security posture. For more information on using MFA in your OCI tenancy, refer to Managing Multi-Factor Authentication, and for more information about using it with Oracle Cloud Infrastructure Container Engine for Kubernetes, refer to Setting Up Cluster Access.

Mickey Boxell

Product Management

Product Manager on the Oracle Containers and Kubernetes Services team.

Previous Post

OS Management service adds support for Autonomous Linux with critical events monitoring and Ksplice integration

Julie Wong | 6 min read

Next Post

Announcing Improved Navigation for the OCI Console

Sam Fisher | 3 min read