🥇Muna ɗaure izinin ActiveDirectory zuwa Kubernetes ta amfani da Keycloak

An rubuta wannan labarin don faɗaɗa kan riga data kasance, amma yayi magana game da fasalulluka na tarin tare da Microsoft ActiveDirectory, kuma yana cika shi.

A cikin wannan labarin zan gaya muku yadda ake shigarwa da daidaitawa:

Kyakkyawar maɓalli aikin budaddiyar hanya ne. Wanda ke ba da maki guda na shigarwa don aikace-aikace. Yana aiki tare da ƙa'idodi iri-iri, gami da LDAP da OpenID waɗanda muke sha'awar su.
mai tsaron ƙofa - aikace-aikacen wakili na baya wanda ke ba ku damar haɗa izini ta hanyar Keycloak.
gangway - aikace-aikacen da ke haifar da saiti don kubectl wanda da shi zaku iya shiga ku haɗa zuwa Kubernetes API ta OpenID.

Yadda izini ke aiki a Kubernetes.

Za mu iya sarrafa haƙƙin mai amfani / ƙungiya ta amfani da RBAC, an riga an ƙirƙiri tarin labarai game da wannan, ba zan tsaya kan wannan dalla-dalla ba. Matsalar ita ce za ku iya amfani da RBAC don ƙuntata haƙƙin mai amfani, amma Kubernetes bai san komai game da masu amfani ba. Ya bayyana cewa muna buƙatar tsarin isar da mai amfani a Kubernetes. Don yin wannan, za mu ƙara mai badawa zuwa Kuberntes OpenID, wanda zai ce irin wannan mai amfani yana da gaske, kuma Kubernetes kanta zai ba shi haƙƙoƙin.

Horo

Kuna buƙatar gungu na Kubernetes ko minikube
Active Directory
Yankuna:
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org
Takaddun shaida don yanki ko takardar shaidar sa hannu

Ba zan tsaya kan yadda ake ƙirƙirar takardar shaidar sanya hannu ba, kuna buƙatar ƙirƙirar takaddun shaida 2, wannan shine tushen (Hukumar Takaddun shaida) da abokin ciniki na yanki don yankin *.example.org

Bayan kun karɓi / ba da takaddun shaida, abokin ciniki dole ne a ƙara shi zuwa Kubernetes, saboda wannan mun ƙirƙira masa asiri:

kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pem

Na gaba, za mu yi amfani da shi don mai sarrafa Ingress ɗinmu.

Shigar da mayafin maɓalli

Na yanke shawarar cewa hanya mafi sauƙi ita ce amfani da shirye-shiryen mafita don wannan, wato taswirar helm.

Shigar da ma'ajiyar kuma sabunta shi:

helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update

Ƙirƙiri fayil ɗin keycloak.yml tare da abun ciki mai zuwa:

keycloak.yml

keycloak:
  # Имя администратора
  username: "test_admin"
  # Пароль администратор  
  password: "admin"
  # Эти флаги нужны что бы позволить загружать в Keycloak скрипты прямо через web морду. Это нам 
  понадобиться что бы починить один баг, о котором ниже.
  extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled" 
  # Включаем ingress, указываем имя хоста и сертификат который мы предварительно сохранили в secrets
  ingress:
    enabled: true 
    path: /
    annotations:
      kubernetes.io/ingress.class: nginx
      ingress.kubernetes.io/affinity: cookie
    hosts:
      - keycloak.example.org
    tls:
    - hosts:
        - keycloak.example.org
      secretName: tls-keycloak
  # Keycloak для своей работы требует базу данных, в тестовых целях я разворачиваю Postgresql прямо в Kuberntes, в продакшене так лучше не делать!
  persistence:
    deployPostgres: true
    dbVendor: postgres

postgresql:
  postgresUser: keycloak
  postgresPassword: ""
  postgresDatabase: keycloak
  persistence:
    enabled: true

Saitin tarayya

Na gaba, je zuwa mahaɗin yanar gizo keycloak.example.org

Danna a kusurwar hagu Ƙara daula

key
darajar

sunan
kubernetes

Sunan Nuna
Kubernetes

Kashe tabbacin imel na mai amfani:
Ƙimar abokin ciniki -> Imel -> Mappers -> Tabbataccen imel (Share)

Mun kafa tarayya don shigo da masu amfani daga ActiveDirectory, zan bar hotunan kariyar kwamfuta a ƙasa, Ina tsammanin zai fi haske.

Ƙungiyar mai amfani -> Ƙara mai badawa… -> ldap

Saitin tarayya

Idan komai yayi kyau, to bayan danna maɓallin Aiki tare duk masu amfani za ku ga sako game da nasarar shigo da masu amfani.

Na gaba muna buƙatar taswirar ƙungiyoyin mu

Ƙungiyar mai amfani --> ldap_localhost --> Mappers --> Ƙirƙiri

Ƙirƙirar taswira

Saitin abokin ciniki

Wajibi ne don ƙirƙirar abokin ciniki, dangane da Keycloak, wannan aikace-aikacen ne wanda za a ba shi izini daga gare shi. Zan haskaka mahimman mahimman bayanai a cikin hoton allo a ja.

Abokan ciniki -> Ƙirƙiri

Saitin abokin ciniki

Bari mu ƙirƙiri ƙwaƙƙwaran ƙungiyoyi:

Matsakaicin Abokin ciniki -> Ƙirƙiri

Ƙirƙiri iyaka

Kuma ka kafa musu taswira:

Iyalin Abokin ciniki -> ƙungiyoyi -> Mappers -> Ƙirƙiri

Taswira

Ƙara taswirar ƙungiyoyinmu zuwa Tsoffin Matsalolin Abokin Ciniki:

Abokan ciniki -> kubernetes -> Matsakaicin Abokin ciniki -> Ƙimar Abokin Ciniki na Tsoho
Zaba kungiyoyin в Akwai Iyakar Abokin Ciniki, latsa Ƙara zaba

Mun sami sirrin (kuma mu rubuta shi zuwa zaren) wanda zamu yi amfani da shi don izini a cikin Keycloak:

Abokan ciniki -> kubernetes -> Shaida -> Sirrin
Wannan ya kammala saitin, amma ina da kuskure lokacin da, bayan nasarar izini, na sami kuskure 403. Rahoton kwaro.

Gyara:

Iyakar Abokin ciniki -> Matsayi -> Mappers -> Ƙirƙiri

Taswira

Lambar rubutun

// add current client-id to token audience
token.addAudience(token.getIssuedFor());

// return token issuer as dummy result assigned to iss again
token.getIssuer();

Ana saita Kubernetes

Muna buƙatar saka inda tushen takardar shaidarmu daga rukunin yanar gizon ya ta'allaka, da kuma inda mai ba da OIDC yake.
Don yin wannan, shirya fayil /etc/kubernetes/manifests/kube-apiserver.yaml

kube-apiserver.yaml


...
spec:
  containers:
  - command:
    - kube-apiserver
...
    - --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
    - --oidc-client-id=kubernetes
    - --oidc-groups-claim=groups
    - --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
    - --oidc-username-claim=email
...

Sabunta saitin kubeadm a cikin gungu:

kubeadmconfig

kubectl edit -n kube-system configmaps kubeadm-config


...
data:
  ClusterConfiguration: |
    apiServer:
      extraArgs:
        oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
        oidc-client-id: kubernetes
        oidc-groups-claim: groups
        oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
        oidc-username-claim: email
...

saitin wakili-auth

Kuna iya amfani da mai tsaron ƙofar maɓalli don kare aikace-aikacen gidan yanar gizon ku. Baya ga gaskiyar cewa wannan reverse proxy zai ba da izini ga mai amfani kafin ya nuna shafin, zai kuma ƙaddamar da bayanai game da ku zuwa ƙarshen aikace-aikacen a cikin rubutun kai. Don haka, idan aikace-aikacenku yana goyan bayan OpenID, to mai amfani yana da izini nan da nan. Yi la'akari da misalin Kubernetes Dashboard

Shigar da Kubernetes Dashboard


helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml

dabi'u_dashboard.yaml

enableInsecureLogin: true
service:
  externalPort: 80
rbac:
  clusterAdminRole: true
  create: true
serviceAccount:
  create: true
  name: 'dashboard-test'

Saitin izini:

Bari mu ƙirƙiri ClusterRoleBinding wanda zai ba da haƙƙin gudanarwa na gungu (misali ClusterRole cluster-admin) don masu amfani a cikin ƙungiyar DataOPS.


kubectl apply -f rbac.yaml

rbac.yaml


apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dataops_group
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: DataOPS

Shigar da mai tsaron ƙofar maɓalli:


helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml

dabi'u_proxy.yaml



# Включаем ingress
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
  path: /
  hosts:
    - kubernetes-dashboard.example.org
  tls:
   - secretName: tls-keycloak
     hosts:
       - kubernetes-dashboard.example.org

# Говорим где мы будем авторизовываться у OIDC провайдера
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# Имя клиента которого мы создали в Keycloak
ClientID: "kubernetes"
# Secret который я просил записать
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Куда перенаправить в случае успешной авторизации. Формат <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# Пропускаем проверку сертификата, если у нас самоподписанный
skipOpenidProviderTlsVerify: true
# Настройка прав доступа, пускаем на все path если мы в группе DataOPS
rules:
  - "uri=/*|groups=DataOPS"

Bayan haka, lokacin da kuke ƙoƙarin zuwa kubernetes-dashboard.example.org, za a tura mu zuwa Keycloak kuma idan an sami nasara izini za mu isa ga Dashboard riga an shiga.

shigarwa gangway

Don dacewa, zaku iya ƙara hanyar gangway wanda zai haifar da fayil ɗin daidaitawa don kubectl, tare da taimakon wanda zamu shiga Kubernetes ƙarƙashin mai amfani da mu.


helm install --name gangway stable/gangway -f values_gangway.yaml

dabi'u_gangway.yaml


gangway:
  # Произвольное имя кластера
  clusterName: "my-k8s"
  # Где у нас OIDC провайдер
  authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
  tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
  audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
  # Теоритически сюда можно добавить groups которые мы замапили
  scopes: ["openid", "profile", "email", "offline_access"]
  redirectURL: "https://gangway.example.org/callback"
  # Имя клиента
  clientID: "kubernetes"
  # Секрет
  clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
  # Если оставить дефолтное значние, то за имя пользователя будет братья <b>Frist name</b> <b>Second name</b>, а при "sub" его логин
  usernameClaim: "sub"
  # Доменное имя или IP адресс API сервера
  apiServerURL: "https://192.168.99.111:8443"

# Включаем Ingress
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
  path: /
  hosts:
  - gangway.example.org
  tls:
  - secretName: tls-keycloak
    hosts:
      - gangway.example.org

# Если используем самоподписанный сертификат, то его(открытый корневой сертификат) надо указать.
trustedCACert: |-
 -----BEGIN CERTIFICATE-----
 MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
 -----END CERTIFICATE-----

Ga alama wannan. Yana ba ku damar zazzage fayil ɗin daidaitawa nan da nan kuma ku ƙirƙira shi ta amfani da saitin umarni:

source: www.habr.com

Muna ɗaure izinin ActiveDirectory zuwa Kubernetes ta amfani da maɓalli