āĻāĻŽāĻŋ āĻāĻĒāĻ¨āĻžāĻ° āĻ¨āĻāĻ°ā§ Dex, dex-k8s-authenticator āĻāĻŦāĻ GitHub āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§ āĻā§āĻŦāĻžāĻ°āĻ¨ā§āĻāĻ¸ āĻā§āĻ˛āĻžāĻ¸ā§āĻāĻžāĻ°ā§ āĻ ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻāĻāĻŋ āĻāĻŋāĻāĻā§āĻ°āĻŋāĻ¯āĻŧāĻžāĻ˛ āĻāĻĒāĻ¸ā§āĻĨāĻžāĻĒāĻ¨ āĻāĻ°āĻāĻŋāĨ¤
āĻ°āĻžāĻļāĻŋāĻ¯āĻŧāĻžāĻ¨ āĻāĻžāĻˇāĻžāĻ° āĻā§āĻŦāĻžāĻ°āĻ¨ā§āĻāĻ¸ āĻā§āĻ¯āĻžāĻ āĻāĻ¨ āĻĨā§āĻā§ āĻ¸ā§āĻĨāĻžāĻ¨ā§āĻ¯āĻŧ āĻŽā§āĻŽā§ˇ
āĻā§āĻŽāĻŋāĻāĻž
āĻāĻŽāĻ°āĻž āĻāĻ¨ā§āĻ¨āĻ¯āĻŧāĻ¨ āĻāĻŦāĻ QA āĻĻāĻ˛ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻāĻ¤āĻŋāĻļā§āĻ˛ āĻĒāĻ°āĻŋāĻŦā§āĻļ āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻ¤ā§ Kubernetes āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻŋāĨ¤ āĻ¤āĻžāĻ āĻāĻŽāĻ°āĻž āĻ¤āĻžāĻĻā§āĻ° āĻĄā§āĻ¯āĻžāĻļāĻŦā§āĻ°ā§āĻĄ āĻāĻŦāĻ kubectl āĻāĻāĻ¯āĻŧā§āĻ° āĻāĻ¨ā§āĻ¯ āĻā§āĻ˛āĻžāĻ¸ā§āĻāĻžāĻ°ā§ āĻ ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻĻāĻŋāĻ¤ā§ āĻāĻžāĻāĨ¤ āĻāĻĒā§āĻ¨āĻļāĻŋāĻĢāĻā§āĻ° āĻŦāĻŋāĻĒāĻ°ā§āĻ¤ā§, āĻā§āĻ¯āĻžāĻ¨āĻŋāĻ˛āĻž āĻā§āĻŦāĻžāĻ°āĻ¨ā§āĻāĻ¸ā§āĻ° āĻ¸ā§āĻĨāĻžāĻ¨ā§āĻ¯āĻŧ āĻĒā§āĻ°āĻŽāĻžāĻŖā§āĻāĻ°āĻŖ āĻ¨ā§āĻ, āĻ¤āĻžāĻ āĻāĻŽāĻ°āĻž āĻāĻ° āĻāĻ¨ā§āĻ¯ āĻ¤ā§āĻ¤ā§āĻ¯āĻŧ āĻĒāĻā§āĻˇā§āĻ° āĻ¸āĻ°āĻā§āĻāĻžāĻŽ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻŋāĨ¤
āĻāĻ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ā§ āĻāĻŽāĻ°āĻž āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻŋ:
dex-k8s-āĻĒā§āĻ°āĻŽāĻžāĻŖāĻāĻžāĻ°ā§â â kubectl āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ āĻ¤ā§āĻ°āĻŋāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻ¯āĻŧā§āĻŦ āĻ ā§āĻ¯āĻžāĻĒā§āĻ˛āĻŋāĻā§āĻļāĻ¨Dex â OpenID āĻ¸āĻāĻ¯ā§āĻ āĻĒā§āĻ°āĻĻāĻžāĻ¨āĻāĻžāĻ°ā§- GitHub - āĻļā§āĻ§ā§āĻŽāĻžāĻ¤ā§āĻ° āĻāĻžāĻ°āĻŖ āĻāĻŽāĻ°āĻž āĻāĻŽāĻžāĻĻā§āĻ° āĻā§āĻŽā§āĻĒāĻžāĻ¨āĻŋāĻ¤ā§ GitHub āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻŋ
āĻāĻŽāĻ°āĻž Google OIDC āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻžāĻ° āĻā§āĻˇā§āĻāĻž āĻāĻ°ā§āĻāĻŋ, āĻāĻŋāĻ¨ā§āĻ¤ā§ āĻĻā§āĻ°ā§āĻāĻžāĻā§āĻ¯āĻŦāĻļāĻ¤ āĻāĻŽāĻ°āĻž
āĻ¸ā§āĻ¤āĻ°āĻžāĻ, āĻā§āĻāĻžāĻŦā§ āĻāĻŽāĻžāĻĻā§āĻ° āĻā§āĻŦāĻžāĻ°āĻ¨ā§āĻāĻ¸ āĻ āĻ¨ā§āĻŽā§āĻĻāĻ¨ āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻāĻāĻāĻŋ āĻāĻŋāĻā§āĻ¯ā§āĻ¯āĻŧāĻžāĻ˛ āĻāĻĒāĻ¸ā§āĻĨāĻžāĻĒāĻ¨āĻžāĻ¯āĻŧ āĻāĻžāĻ āĻāĻ°ā§:
āĻ
āĻ¨ā§āĻŽā§āĻĻāĻ¨ āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž
āĻāĻāĻā§ āĻŦāĻŋāĻ¸ā§āĻ¤āĻžāĻ°āĻŋāĻ¤ āĻāĻŦāĻ āĻĒāĻ¯āĻŧā§āĻ¨ā§āĻ āĻĻā§āĻŦāĻžāĻ°āĻž āĻĒāĻ¯āĻŧā§āĻ¨ā§āĻ:
- āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ°āĻāĻžāĻ°ā§ dex-k8s-āĻĒā§āĻ°āĻŽāĻžāĻŖāĻāĻžāĻ°ā§āĻ¤ā§ āĻ˛āĻ āĻāĻ¨ āĻāĻ°ā§ (
login.k8s.example.com
) - dex-k8s-āĻĒā§āĻ°āĻŽāĻžāĻŖāĻāĻžāĻ°ā§ āĻ
āĻ¨ā§āĻ°ā§āĻ§āĻāĻŋ āĻĄā§āĻā§āĻ¸ā§āĻ° āĻāĻžāĻā§ āĻĢāĻ°ā§āĻ¯āĻŧāĻžāĻ°ā§āĻĄ āĻāĻ°ā§ (
dex.k8s.example.com
) - āĻĄā§āĻā§āĻ¸ āĻāĻŋāĻāĻšāĻžāĻŦ āĻ˛āĻāĻāĻ¨ āĻĒā§āĻˇā§āĻ āĻžāĻ¯āĻŧ āĻĒā§āĻ¨āĻāĻ¨āĻŋāĻ°ā§āĻĻā§āĻļ āĻāĻ°ā§
- GitHub āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨ā§āĻ¯āĻŧ āĻ āĻ¨ā§āĻŽā§āĻĻāĻ¨ āĻ¤āĻĨā§āĻ¯ āĻ¤ā§āĻ°āĻŋ āĻāĻ°ā§ āĻāĻŦāĻ āĻĄā§āĻā§āĻ¸ā§ āĻĢā§āĻ°āĻ¤ āĻĻā§āĻ¯āĻŧ
- Dex āĻĒā§āĻ°āĻžāĻĒā§āĻ¤ āĻ¤āĻĨā§āĻ¯ dex-k8s-āĻĒā§āĻ°āĻŽāĻžāĻŖāĻāĻžāĻ°ā§āĻā§ āĻĻā§āĻ¯āĻŧ
- āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ°āĻāĻžāĻ°ā§ GitHub āĻĨā§āĻā§ āĻāĻāĻāĻŋ OIDC āĻā§āĻā§āĻ¨ āĻĒāĻžāĻ¯āĻŧ
- dex-k8s-authenticator kubeconfig āĻ āĻā§āĻā§āĻ¨ āĻ¯ā§āĻ āĻāĻ°ā§
- kubectl KubeAPIServer-āĻ āĻā§āĻā§āĻ¨ āĻĒāĻžāĻ¸ āĻāĻ°ā§
- KubeAPIServer āĻĒāĻžāĻ¸ āĻāĻ°āĻž āĻā§āĻā§āĻ¨ā§āĻ° āĻāĻĒāĻ° āĻāĻŋāĻ¤ā§āĻ¤āĻŋ āĻāĻ°ā§ kubectl-āĻ āĻ ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻĢā§āĻ°āĻ¤ āĻĻā§āĻ¯āĻŧ
- āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ°āĻāĻžāĻ°ā§ kubectl āĻĨā§āĻā§ āĻ ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻĒāĻžāĻ¯āĻŧ
āĻĒā§āĻ°āĻ¸ā§āĻ¤ā§āĻ¤āĻŋāĻŽā§āĻ˛āĻ āĻāĻ°ā§āĻŽ
āĻ
āĻŦāĻļā§āĻ¯āĻ, āĻāĻŽāĻžāĻĻā§āĻ° āĻāĻ¤āĻŋāĻŽāĻ§ā§āĻ¯ā§ āĻāĻāĻāĻŋ āĻā§āĻŦāĻžāĻ°āĻ¨ā§āĻāĻ¸ āĻā§āĻ˛āĻžāĻ¸ā§āĻāĻžāĻ° āĻāĻ¨āĻ¸ā§āĻāĻ˛ āĻāĻ°āĻž āĻāĻā§ (k8s.example.com
), āĻāĻŦāĻ āĻĒā§āĻ°ā§āĻŦā§ āĻāĻ¨āĻ¸ā§āĻāĻ˛ āĻāĻ°āĻž HELM āĻāĻ° āĻ¸āĻžāĻĨā§āĻ āĻāĻ¸ā§āĨ¤ GitHub (super-org) āĻ āĻāĻŽāĻžāĻĻā§āĻ° āĻāĻāĻāĻŋ āĻ¸āĻāĻ¸ā§āĻĨāĻžāĻ āĻ°āĻ¯āĻŧā§āĻā§āĨ¤
āĻāĻĒāĻ¨āĻžāĻ° āĻ¯āĻĻāĻŋ HELM āĻ¨āĻž āĻĨāĻžāĻā§ āĻ¤āĻŦā§ āĻāĻāĻŋ āĻāĻ¨āĻ¸ā§āĻāĻ˛ āĻāĻ°ā§āĻ¨
āĻĒā§āĻ°āĻĨāĻŽā§ āĻāĻŽāĻžāĻĻā§āĻ° GitHub āĻ¸ā§āĻ āĻāĻĒ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§āĨ¤
āĻĒā§āĻ°āĻ¤āĻŋāĻˇā§āĻ āĻžāĻ¨ āĻ¸ā§āĻāĻŋāĻāĻ¸ āĻĒā§āĻˇā§āĻ āĻžāĻ¯āĻŧ āĻ¯āĻžāĻ¨, (https://github.com/organizations/super-org/settings/applications
) āĻāĻŦāĻ āĻāĻāĻāĻŋ āĻ¨āĻ¤ā§āĻ¨ āĻ
ā§āĻ¯āĻžāĻĒā§āĻ˛āĻŋāĻā§āĻļāĻ¨ āĻ¤ā§āĻ°āĻŋ āĻāĻ°ā§āĻ¨ (āĻ
āĻ¨ā§āĻŽā§āĻĻāĻŋāĻ¤ OAuth āĻ
ā§āĻ¯āĻžāĻĒ):
āĻāĻŋāĻāĻšāĻžāĻŦā§ āĻāĻāĻāĻŋ āĻ¨āĻ¤ā§āĻ¨ āĻ
ā§āĻ¯āĻžāĻĒā§āĻ˛āĻŋāĻā§āĻļāĻ¨ āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻž āĻšāĻā§āĻā§
āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨ā§āĻ¯āĻŧ URL āĻĻāĻŋāĻ¯āĻŧā§ āĻā§āĻˇā§āĻ¤ā§āĻ°āĻā§āĻ˛āĻŋ āĻĒā§āĻ°āĻŖ āĻāĻ°ā§āĻ¨, āĻāĻĻāĻžāĻšāĻ°āĻŖāĻ¸ā§āĻŦāĻ°ā§āĻĒ:
- āĻšā§āĻŽāĻĒā§āĻ URL:
https://dex.k8s.example.com
- āĻ
āĻ¨ā§āĻŽā§āĻĻāĻ¨ āĻāĻ˛āĻŦā§āĻ¯āĻžāĻ URL:
https://dex.k8s.example.com/callback
āĻ˛āĻŋāĻā§āĻāĻā§āĻ˛āĻŋāĻ° āĻ¸āĻžāĻĨā§ āĻ¸āĻ¤āĻ°ā§āĻ āĻĨāĻžāĻā§āĻ¨, āĻ¸ā§āĻ˛ā§āĻ¯āĻžāĻļāĻā§āĻ˛āĻŋ āĻ¨āĻž āĻšāĻžāĻ°āĻžāĻ¨ā§ āĻā§āĻ°ā§āĻ¤ā§āĻŦāĻĒā§āĻ°ā§āĻŖāĨ¤
āĻāĻāĻāĻŋ āĻ¸āĻŽā§āĻĒā§āĻ°ā§āĻŖ āĻĢāĻ°ā§āĻŽā§āĻ° āĻĒā§āĻ°āĻ¤āĻŋāĻā§āĻ°āĻŋāĻ¯āĻŧāĻžāĻ¤ā§, GitHub āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻŦā§ Client ID
и Client secret
, āĻ¤āĻžāĻĻā§āĻ° āĻāĻāĻāĻŋ āĻ¨āĻŋāĻ°āĻžāĻĒāĻĻ āĻāĻžāĻ¯āĻŧāĻāĻžāĻ¯āĻŧ āĻ°āĻžāĻā§āĻ¨, āĻ¤āĻžāĻ°āĻž āĻāĻŽāĻžāĻĻā§āĻ° āĻāĻžāĻā§ āĻ˛āĻžāĻāĻŦā§ (āĻāĻĻāĻžāĻšāĻ°āĻŖāĻ¸ā§āĻŦāĻ°ā§āĻĒ, āĻāĻŽāĻ°āĻž āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻŋ
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
āĻ¸āĻžāĻŦāĻĄā§āĻŽā§āĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯ DNS āĻ°ā§āĻāĻ°ā§āĻĄ āĻĒā§āĻ°āĻ¸ā§āĻ¤ā§āĻ¤ āĻāĻ°ā§āĻ¨ login.k8s.example.com
и dex.k8s.example.com
, āĻ¸ā§āĻāĻ¸āĻžāĻĨā§ āĻĒā§āĻ°āĻŦā§āĻļā§āĻ° āĻāĻ¨ā§āĻ¯ SSL āĻļāĻāĻ¸āĻžāĻĒāĻ¤ā§āĻ°āĨ¤
āĻāĻ¸ā§āĻ¨ SSL āĻ¸āĻžāĻ°ā§āĻāĻŋāĻĢāĻŋāĻā§āĻ āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻŋ:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
āĻļāĻŋāĻ°ā§āĻ¨āĻžāĻŽ āĻ¸āĻš āĻā§āĻ˛āĻžāĻ¸ā§āĻāĻžāĻ° āĻāĻ¸ā§āĻ¯ā§āĻ¯āĻŧāĻžāĻ° le-clusterissuer
āĻāĻ¤āĻŋāĻŽāĻ§ā§āĻ¯ā§āĻ āĻŦāĻŋāĻĻā§āĻ¯āĻŽāĻžāĻ¨ āĻĨāĻžāĻāĻž āĻāĻāĻŋāĻ¤, āĻāĻŋāĻ¨ā§āĻ¤ā§ āĻ¯āĻĻāĻŋ āĻ¨āĻž āĻĨāĻžāĻā§ āĻ¤āĻŦā§ āĻāĻāĻŋ HELM āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§ āĻ¤ā§āĻ°āĻŋ āĻāĻ°ā§āĻ¨:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOF
KubeAPIServer āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨
kubeAPIServer āĻāĻžāĻ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯, āĻāĻĒāĻ¨āĻžāĻā§ OIDC āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ° āĻāĻ°āĻ¤ā§ āĻšāĻŦā§ āĻāĻŦāĻ āĻā§āĻ˛āĻžāĻ¸ā§āĻāĻžāĻ° āĻāĻĒāĻĄā§āĻ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yes
āĻāĻŽāĻ°āĻž āĻŦā§āĻ¯āĻžāĻŦāĻšāĻžāĻ° āĻāĻ°āĻŋ
āĻĄā§āĻā§āĻ¸ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ āĻāĻŦāĻ dex-k8s-āĻĒā§āĻ°āĻŽāĻžāĻŖāĻāĻžāĻ°ā§
āĻĄā§āĻā§āĻ¸ā§āĻ° āĻāĻžāĻ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯, āĻāĻĒāĻ¨āĻžāĻ° āĻā§āĻŦāĻžāĻ°āĻ¨ā§āĻāĻ¸ āĻŽāĻžāĻ¸ā§āĻāĻžāĻ°ā§āĻ° āĻāĻžāĻ āĻĨā§āĻā§ āĻāĻāĻāĻŋ āĻļāĻāĻ¸āĻžāĻĒāĻ¤ā§āĻ° āĻāĻŦāĻ āĻāĻāĻāĻŋ āĻā§ āĻĨāĻžāĻāĻ¤ā§ āĻšāĻŦā§, āĻāĻ¸ā§āĻ¨ āĻ¸ā§āĻāĻžāĻ¨ āĻĨā§āĻā§ āĻāĻāĻŋ āĻ¨āĻŋāĻ¯āĻŧā§ āĻāĻ¸āĻŋ:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
dex-k8s-authenticator āĻ¸āĻāĻā§āĻ°āĻšāĻ¸ā§āĻĨāĻ˛ āĻā§āĻ˛ā§āĻ¨ āĻāĻ°āĻž āĻ¯āĻžāĻ:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/
āĻŽāĻžāĻ¨ āĻĢāĻžāĻāĻ˛ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§, āĻāĻŽāĻ°āĻž āĻ¨āĻŽāĻ¨ā§āĻ¯āĻŧāĻāĻžāĻŦā§ āĻāĻŽāĻžāĻĻā§āĻ° āĻāĻ¨ā§āĻ¯ āĻā§āĻ°āĻŋāĻ¯āĻŧā§āĻŦāĻ˛ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ° āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°āĻŋ
āĻāĻ¸ā§āĻ¨ āĻĄā§āĻā§āĻ¸ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ āĻŦāĻ°ā§āĻŖāĻ¨āĻž āĻāĻ°āĻŋ:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
āĻāĻŦāĻ dex-k8s-āĻĒā§āĻ°āĻŽāĻžāĻŖāĻāĻžāĻ°ā§āĻ° āĻāĻ¨ā§āĻ¯:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOF
Dex āĻāĻŦāĻ dex-k8s-āĻĒā§āĻ°āĻŽāĻžāĻŖāĻāĻžāĻ°ā§ āĻāĻ¨āĻ¸ā§āĻāĻ˛ āĻāĻ°ā§āĻ¨:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticator
āĻāĻ¸ā§āĻ¨ āĻĒāĻ°āĻŋāĻˇā§āĻŦāĻžāĻā§āĻ˛āĻŋāĻ° āĻāĻžāĻ°ā§āĻ¯āĻāĻžāĻ°āĻŋāĻ¤āĻž āĻĒāĻ°ā§āĻā§āĻˇāĻž āĻāĻ°āĻŋ (āĻĄā§āĻā§āĻ¸ā§āĻ° āĻā§āĻĄ 400 āĻĢā§āĻ°āĻ¤ āĻĻā§āĻāĻ¯āĻŧāĻž āĻāĻāĻŋāĻ¤, āĻāĻŦāĻ dex-k8s-āĻĒā§āĻ°āĻŽāĻžāĻŖāĻāĻžāĻ°ā§āĻā§ āĻā§āĻĄ 200 āĻĢā§āĻ°āĻ¤ āĻĻā§āĻāĻ¯āĻŧāĻž āĻāĻāĻŋāĻ¤):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200
RBAC āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨
āĻāĻŽāĻ°āĻž āĻā§āĻ°ā§āĻĒā§āĻ° āĻāĻ¨ā§āĻ¯ āĻāĻāĻāĻŋ ClusterRole āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻŋ, āĻāĻŽāĻžāĻĻā§āĻ° āĻā§āĻˇā§āĻ¤ā§āĻ°ā§ āĻļā§āĻ§ā§āĻŽāĻžāĻ¤ā§āĻ°-āĻĒāĻ āĻ¨ āĻ ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻ¸āĻš:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOF
āĻāĻ¸ā§āĻ¨ ClusterRoleBinding āĻāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻāĻāĻŋ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ āĻ¤ā§āĻ°āĻŋ āĻāĻ°āĻŋ:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOF
āĻāĻāĻ¨ āĻāĻŽāĻ°āĻž āĻĒāĻ°ā§āĻā§āĻˇāĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻĒā§āĻ°āĻ¸ā§āĻ¤ā§āĻ¤āĨ¤
āĻĒāĻ°ā§āĻā§āĻˇāĻž
āĻ˛āĻāĻāĻ¨ āĻĒā§āĻˇā§āĻ āĻžāĻ¯āĻŧ āĻ¯āĻžāĻ¨ (https://login.k8s.example.com
) āĻāĻŦāĻ āĻāĻĒāĻ¨āĻžāĻ° GitHub āĻ
ā§āĻ¯āĻžāĻāĻžāĻāĻ¨ā§āĻ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§ āĻ˛āĻ āĻāĻ¨ āĻāĻ°ā§āĻ¨:
āĻ˛āĻāĻāĻ¨ āĻĒā§āĻˇā§āĻ āĻžāĻ¯āĻŧ
āĻ˛āĻāĻāĻ¨ āĻĒā§āĻˇā§āĻ āĻž āĻāĻŋāĻāĻšāĻžāĻŦā§ āĻĒā§āĻ¨āĻāĻ¨āĻŋāĻ°ā§āĻĻā§āĻļāĻŋāĻ¤ āĻšāĻ¯āĻŧā§āĻā§
āĻ
ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻĒā§āĻ¤ā§ āĻāĻ¤ā§āĻĒāĻ¨ā§āĻ¨ āĻ¨āĻŋāĻ°ā§āĻĻā§āĻļāĻžāĻŦāĻ˛ā§ āĻ
āĻ¨ā§āĻ¸āĻ°āĻŖ āĻāĻ°ā§āĻ¨
āĻāĻ¯āĻŧā§āĻŦ āĻĒā§āĻˇā§āĻ āĻž āĻĨā§āĻā§ āĻāĻĒāĻŋ-āĻĒā§āĻ¸ā§āĻ āĻāĻ°āĻžāĻ° āĻĒāĻ°ā§, āĻāĻŽāĻ°āĻž āĻāĻŽāĻžāĻĻā§āĻ° āĻā§āĻ˛āĻžāĻ¸ā§āĻāĻžāĻ° āĻ¸āĻāĻ¸ā§āĻĨāĻžāĻ¨āĻā§āĻ˛āĻŋ āĻĒāĻ°āĻŋāĻāĻžāĻ˛āĻ¨āĻž āĻāĻ°āĻ¤ā§ kubectl āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°āĻŋ:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
āĻāĻŦāĻ āĻāĻāĻŋ āĻāĻžāĻ āĻāĻ°ā§, āĻāĻŽāĻžāĻĻā§āĻ° āĻ¸āĻāĻ¸ā§āĻĨāĻžāĻ° āĻ¸āĻŽāĻ¸ā§āĻ¤ GitHub āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ°āĻāĻžāĻ°ā§āĻ°āĻž āĻ¸āĻāĻ¸ā§āĻĨāĻžāĻ¨ āĻĻā§āĻāĻ¤ā§ āĻāĻŦāĻ āĻĒāĻĄāĻā§āĻ˛āĻŋāĻ¤ā§ āĻ˛āĻ āĻāĻ¨ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§, āĻāĻŋāĻ¨ā§āĻ¤ā§ āĻ¤āĻžāĻĻā§āĻ° āĻĒāĻ°āĻŋāĻŦāĻ°ā§āĻ¤āĻ¨ āĻāĻ°āĻžāĻ° āĻ
āĻ§āĻŋāĻāĻžāĻ° āĻ¤āĻžāĻĻā§āĻ° āĻ¨ā§āĻāĨ¤
āĻāĻ¤ā§āĻ¸: www.habr.com