Ik presintearje jo oandacht in tutorial foar it generearjen fan tagong ta in Kubernetes-kluster mei Dex, dex-k8s-authenticator en GitHub.
Lokale meme fan 'e Russysktalige Kubernetes chat yn
Ynlieding
Wy brûke Kubernetes om dynamyske omjouwings te meitsjen foar it ûntwikkeling- en QA-team. Dat wy wolle har tagong jaan ta it kluster foar sawol it dashboard as kubectl. Oars as OpenShift hat vanilla Kubernetes gjin native autentikaasje, dus wy brûke hjirfoar ark fan tredden.
Yn dizze konfiguraasje brûke wy:
- - webapplikaasje foar it generearjen fan kubectl-konfiguraasje
- - OpenID Connect provider
- GitHub - gewoan om't wy GitHub brûke yn ús bedriuw
Wy besochten Google OIDC te brûken, mar spitigernôch wy om se mei groepen te begjinnen, dus de yntegraasje mei GitHub paste ús aardich goed. Sûnder groepmapping sil it net mooglik wêze om RBAC-belied te meitsjen basearre op groepen.
Dus, hoe wurket ús Kubernetes-autorisaasjeproses yn in fisuele foarstelling:
Autorisaasjeproses
In bytsje mear detail en punt foar punt:
- Brûker logt yn by dex-k8s-authenticator (
login.k8s.example.com) - dex-k8s-authenticator stjoert it fersyk troch nei Dex (
dex.k8s.example.com) - Dex ferwiist nei de GitHub-oanmeldside
- GitHub genereart de nedige autorisaasjeynformaasje en jout it werom nei Dex
- Dex jout de ûntfongen ynformaasje troch oan dex-k8s-authenticator
- De brûker krijt in OIDC-token fan GitHub
- dex-k8s-authenticator foeget token ta oan kubeconfig
- kubectl jout it token troch oan KubeAPIServer
- KubeAPIServer jout tagongen werom nei kubectl basearre op it trochjûn token
- De brûker krijt tagong fan kubectl
Tariedende aksjes
Fansels hawwe wy al in Kubernetes-kluster ynstalleare (k8s.example.com), en komt ek mei HELM foarôf ynstalleare. Wy hawwe ek in organisaasje op GitHub (super-org).
As jo gjin HELM hawwe, ynstallearje it dan .
Earst moatte wy GitHub ynstelle.
Gean nei de organisaasje ynstellings side, (https://github.com/organizations/super-org/settings/applications) en meitsje in nije applikaasje (Authorized OAuth App):
In nije applikaasje oanmeitsje op GitHub
Folje de fjilden yn mei de nedige URL's, bygelyks:
- Homepage URL:
https://dex.k8s.example.com - Autorisaasje callback URL:
https://dex.k8s.example.com/callback
Wês foarsichtich mei keppelings, it is wichtich om slashes net te ferliezen.
As antwurd op in ynfold formulier sil GitHub generearje Client ID и Client secret, hâld se op in feilich plak, se sille nuttich wêze foar ús (wy brûke bygelyks foar it opslaan fan geheimen):
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
Tariede DNS-records foar subdomeinen login.k8s.example.com и dex.k8s.example.com, lykas SSL-sertifikaten foar yngong.
Litte wy SSL-sertifikaten oanmeitsje:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
ClusterIssuer mei titel le-clusterissuer soe al bestean moatte, mar as net, meitsje it dan mei HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOFKubeAPIServer konfiguraasje
Foar kubeAPIServer om te wurkjen, moatte jo OIDC konfigurearje en it kluster bywurkje:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yesWy brûke foar it ynsetten fan klusters, mar dit wurket ek foar .
Dex-konfiguraasje en dex-k8s-authenticator
Foar Dex om te wurkjen, moatte jo in sertifikaat en in kaai hawwe fan 'e Kubernetes-master, litte wy it dêrwei krije:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----Litte wy it dex-k8s-authenticator repository klonearje:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/Mei weardenbestannen kinne wy fariabelen fleksibel konfigurearje foar ús .
Litte wy de konfiguraasje foar Dex beskriuwe:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
En foar dex-k8s-authenticator:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOFYnstallearje Dex en dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticatorLitte wy de funksjonaliteit fan 'e tsjinsten kontrolearje (Dex moat koade 400 weromjaan, en dex-k8s-authenticator moat koade 200 weromjaan):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200RBAC konfiguraasje
Wy meitsje in ClusterRole foar de groep, yn ús gefal mei allinich-lês tagong:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOFLitte wy in konfiguraasje meitsje foar ClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOFNo binne wy klear foar testen.
Tests
Gean nei de ynlogside (https://login.k8s.example.com) en oanmelde mei jo GitHub-akkount:
Oanmelde side
Oanmelde side omlaat nei GitHub
Folgje de oanmakke ynstruksjes om tagong te krijen
Nei it kopiearjen-plakken fan 'e webside kinne wy kubectl brûke om ús klusterboarnen te behearjen:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
En it wurket, alle GitHub-brûkers yn ús organisaasje kinne boarnen sjen en oanmelde by pods, mar se hawwe gjin rjochten om se te feroarjen.
Boarne: www.habr.com