Tabbatar da Kubernetes ta amfani da GitHub OAuth da Dex
Ina gabatar wa hankalinku koyawa don samar da damar zuwa gungu na Kubernetes ta amfani da Dex, dex-k8s-authenticator da GitHub.
Meme na gida daga Kubernetes na harshen Rashanci suna hira a ciki sakon waya
Gabatarwar
Muna amfani da Kubernetes don ƙirƙirar yanayi mai ƙarfi don haɓakawa da ƙungiyar QA. Don haka muna son ba su damar zuwa gungu don duka dashboard da kubectl. Ba kamar OpenShift ba, vanilla Kubernetes ba shi da ingantacciyar ƙasa, don haka muna amfani da kayan aikin ɓangare na uku don wannan.
GitHub - kawai saboda muna amfani da GitHub a cikin kamfaninmu
Mun yi ƙoƙari mu yi amfani da Google OIDC, amma abin takaici mu kasa don fara su da ƙungiyoyi, don haka haɗin kai tare da GitHub ya dace da mu sosai. Idan ba tare da taswirar rukuni ba, ba zai yiwu a ƙirƙiri manufofin RBAC bisa ƙungiyoyi ba.
Don haka, ta yaya tsarin izinin Kubernetes ɗinmu ke aiki a cikin wakilcin gani:
Tsarin izini
Ƙarin ƙarin bayani da batu-baki:
Mai amfani ya shiga cikin dex-k8s-authenticator (login.k8s.example.com)
dex-k8s-authenticator yana tura buƙatar zuwa Dex (dex.k8s.example.com)
Dex yana turawa zuwa shafin shiga GitHub
GitHub yana samar da mahimman bayanan izini kuma ya mayar da shi zuwa Dex
Dex yana aika bayanan da aka karɓa zuwa dex-k8s-authenticator
Mai amfani yana karɓar alamar OIDC daga GitHub
dex-k8s-authenticator yana ƙara alama zuwa kubeconfig
kubectl yana ƙaddamar da alamar zuwa KubeAPIServer
KubeAPIServer yana dawo da hanyar shiga kubectl bisa alamar da aka wuce
Mai amfani yana samun dama daga kubectl
Ayyukan shirye-shirye
Tabbas, mun riga mun shigar da gungu na Kubernetes (k8s.example.com), kuma ya zo tare da an riga an shigar da HELM. Hakanan muna da ƙungiya akan GitHub (super-org).
Idan ba ku da HELM, shigar da shi mai sauqi qwarai.
URL na sake kiran izini: https://dex.k8s.example.com/callback
Yi hankali tare da haɗin gwiwa, yana da mahimmanci kada a rasa raguwa.
Dangane da cikakken tsari, GitHub zai haifar Client ID и Client secret, ajiye su a wuri mai aminci, za su kasance masu amfani a gare mu (misali, muna amfani da su vault don adana sirrin):
Je zuwa shafin shiga (https://login.k8s.example.com) kuma shiga ta amfani da asusun GitHub:
Shafin shiga
An karkatar da shafin shiga zuwa GitHub
Bi umarnin da aka samar don samun dama
Bayan kwafin liƙa daga shafin yanar gizon, za mu iya amfani da kubectl don sarrafa albarkatun mu:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
Kuma yana aiki, duk masu amfani da GitHub a cikin ƙungiyarmu suna iya ganin albarkatu kuma su shiga cikin kwasfa, amma ba su da haƙƙin canza su.