Ina gabatar wa hankalinku koyawa don samar da damar zuwa gungu na Kubernetes ta amfani da Dex, dex-k8s-authenticator da GitHub.
Meme na gida daga Kubernetes na harshen Rashanci suna hira a ciki
Gabatarwar
Muna amfani da Kubernetes don ƙirƙirar yanayi mai ƙarfi don haɓakawa da ƙungiyar QA. Don haka muna son ba su damar zuwa gungu don duka dashboard da kubectl. Ba kamar OpenShift ba, vanilla Kubernetes ba shi da ingantacciyar ƙasa, don haka muna amfani da kayan aikin ɓangare na uku don wannan.
A cikin wannan tsari muna amfani da:
- - aikace-aikacen yanar gizo don ƙirƙirar kubectl config
- - Mai ba da Haɗin Buɗe ID
- GitHub - kawai saboda muna amfani da GitHub a cikin kamfaninmu
Mun yi ƙoƙari mu yi amfani da Google OIDC, amma abin takaici mu don fara su da ƙungiyoyi, don haka haɗin kai tare da GitHub ya dace da mu sosai. Idan ba tare da taswirar rukuni ba, ba zai yiwu a ƙirƙiri manufofin RBAC bisa ƙungiyoyi ba.
Don haka, ta yaya tsarin izinin Kubernetes ɗinmu ke aiki a cikin wakilcin gani:
Tsarin izini
Ƙarin ƙarin bayani da batu-baki:
- Mai amfani ya shiga cikin dex-k8s-authenticator (
login.k8s.example.com) - dex-k8s-authenticator yana tura buƙatar zuwa Dex (
dex.k8s.example.com) - Dex yana turawa zuwa shafin shiga GitHub
- GitHub yana samar da mahimman bayanan izini kuma ya mayar da shi zuwa Dex
- Dex yana aika bayanan da aka karɓa zuwa dex-k8s-authenticator
- Mai amfani yana karɓar alamar OIDC daga GitHub
- dex-k8s-authenticator yana ƙara alama zuwa kubeconfig
- kubectl yana ƙaddamar da alamar zuwa KubeAPIServer
- KubeAPIServer yana dawo da hanyar shiga kubectl bisa alamar da aka wuce
- Mai amfani yana samun dama daga kubectl
Ayyukan shirye-shirye
Tabbas, mun riga mun shigar da gungu na Kubernetes (k8s.example.com), kuma ya zo tare da an riga an shigar da HELM. Hakanan muna da ƙungiya akan GitHub (super-org).
Idan ba ku da HELM, shigar da shi .
Da farko muna buƙatar saita GitHub.
Jeka shafin saitin kungiya, (https://github.com/organizations/super-org/settings/applications) kuma ƙirƙiri sabon aikace-aikace (Izinin OAuth App):
Ƙirƙirar sabon aikace-aikace akan GitHub
Cika filaye tare da URLs masu mahimmanci, misali:
- Babban Shafi URL:
https://dex.k8s.example.com - URL na sake kiran izini:
https://dex.k8s.example.com/callback
Yi hankali tare da haɗin gwiwa, yana da mahimmanci kada a rasa raguwa.
Dangane da cikakken tsari, GitHub zai haifar Client ID и Client secret, ajiye su a wuri mai aminci, za su kasance masu amfani a gare mu (misali, muna amfani da su don adana sirrin):
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
Shirya bayanan DNS don ƙananan yanki login.k8s.example.com и dex.k8s.example.com, da kuma takaddun shaida na SSL don shiga.
Bari mu ƙirƙiri takaddun shaida na SSL:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
Ƙungiya mai bayarwa mai take le-clusterissuer yakamata ya kasance, amma idan ba haka ba, ƙirƙira ta ta amfani da HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOFTsarin KubeAPISserver
Don kubeAPIServer yayi aiki, kuna buƙatar saita OIDC kuma sabunta tarin:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yesMuna amfani don tura gungu, amma wannan yana aiki iri ɗaya don .
Tsarin Dex da dex-k8s-authenticator
Don Dex yayi aiki, kuna buƙatar samun takaddun shaida da maɓalli daga maigidan Kubernetes, bari mu samo shi daga can:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----Bari mu rufe ma'ajiyar dex-k8s-authenticator:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/Yin amfani da fayilolin ƙima, za mu iya daidaita masu canji don mu .
Bari mu kwatanta daidaitawar Dex:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
Kuma ga dex-k8s-authenticator:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOFShigar Dex da dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticatorBari mu duba ayyukan ayyukan (Dex yakamata ya dawo lambar 400, kuma dex-k8s-authenticator yakamata ya dawo lambar 200):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200Tsarin RBAC
Mun ƙirƙiri ClusterRole don ƙungiyar, a yanayinmu tare da damar karantawa kawai:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOFBari mu ƙirƙiri tsari don ClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOFYanzu mun shirya don gwaji.
Gwaje-gwaje
Je zuwa shafin shiga (https://login.k8s.example.com) kuma shiga ta amfani da asusun GitHub:
Shafin shiga
An karkatar da shafin shiga zuwa GitHub
Bi umarnin da aka samar don samun dama
Bayan kwafin liƙa daga shafin yanar gizon, za mu iya amfani da kubectl don sarrafa albarkatun mu:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
Kuma yana aiki, duk masu amfani da GitHub a cikin ƙungiyarmu suna iya ganin albarkatu kuma su shiga cikin kwasfa, amma ba su da haƙƙin canza su.
source: www.habr.com