An rubuta wannan labarin don faɗaɗa kan riga
A cikin wannan labarin zan gaya muku yadda ake shigarwa da daidaitawa:
- Kyakkyawar maɓalli aikin budaddiyar hanya ne. Wanda ke ba da maki guda na shigarwa don aikace-aikace. Yana aiki tare da ƙa'idodi iri-iri, gami da LDAP da OpenID waɗanda muke sha'awar su.
- mai tsaron ƙofa - aikace-aikacen wakili na baya wanda ke ba ku damar haɗa izini ta hanyar Keycloak.
- gangway - aikace-aikacen da ke haifar da saiti don kubectl wanda da shi zaku iya shiga ku haɗa zuwa Kubernetes API ta OpenID.
Yadda izini ke aiki a Kubernetes.
Za mu iya sarrafa haƙƙin mai amfani / ƙungiya ta amfani da RBAC, an riga an ƙirƙiri tarin labarai game da wannan, ba zan tsaya kan wannan dalla-dalla ba. Matsalar ita ce za ku iya amfani da RBAC don ƙuntata haƙƙin mai amfani, amma Kubernetes bai san komai game da masu amfani ba. Ya bayyana cewa muna buƙatar tsarin isar da mai amfani a Kubernetes. Don yin wannan, za mu ƙara mai badawa zuwa Kuberntes OpenID, wanda zai ce irin wannan mai amfani yana da gaske, kuma Kubernetes kanta zai ba shi haƙƙoƙin.
Horo
- Kuna buƙatar gungu na Kubernetes ko minikube
- Active Directory
- Yankuna:
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org - Takaddun shaida don yanki ko takardar shaidar sa hannu
Ba zan tsaya kan yadda ake ƙirƙirar takardar shaidar sanya hannu ba, kuna buƙatar ƙirƙirar takaddun shaida 2, wannan shine tushen (Hukumar Takaddun shaida) da abokin ciniki na yanki don yankin *.example.org
Bayan kun karɓi / ba da takaddun shaida, abokin ciniki dole ne a ƙara shi zuwa Kubernetes, saboda wannan mun ƙirƙira masa asiri:
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pem
Na gaba, za mu yi amfani da shi don mai sarrafa Ingress ɗinmu.
Shigar da mayafin maɓalli
Na yanke shawarar cewa hanya mafi sauƙi ita ce amfani da shirye-shiryen mafita don wannan, wato taswirar helm.
Shigar da ma'ajiyar kuma sabunta shi:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update
Ƙirƙiri fayil ɗin keycloak.yml tare da abun ciki mai zuwa:
keycloak.yml
keycloak:
# Имя администратора
username: "test_admin"
# Пароль администратор
password: "admin"
# Эти флаги нужны что бы позволить загружать в Keycloak скрипты прямо через web морду. Это нам
понадобиться что бы починить один баг, о котором ниже.
extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
# Включаем ingress, указываем имя хоста и сертификат который мы предварительно сохранили в secrets
ingress:
enabled: true
path: /
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.example.org
tls:
- hosts:
- keycloak.example.org
secretName: tls-keycloak
# Keycloak для своей работы требует базу данных, в тестовых целях я разворачиваю Postgresql прямо в Kuberntes, в продакшене так лучше не делать!
persistence:
deployPostgres: true
dbVendor: postgres
postgresql:
postgresUser: keycloak
postgresPassword: ""
postgresDatabase: keycloak
persistence:
enabled: true
Saitin tarayya
Na gaba, je zuwa mahaɗin yanar gizo
Danna a kusurwar hagu Ƙara daula
key
darajar
sunan
kubernetes
Sunan Nuna
Kubernetes
Kashe tabbacin imel na mai amfani:
Ƙimar abokin ciniki -> Imel -> Mappers -> Tabbataccen imel (Share)
Mun kafa tarayya don shigo da masu amfani daga ActiveDirectory, zan bar hotunan kariyar kwamfuta a ƙasa, Ina tsammanin zai fi haske.
Ƙungiyar mai amfani -> Ƙara mai badawa… -> ldap
Saitin tarayya
Idan komai yayi kyau, to bayan danna maɓallin Aiki tare duk masu amfani za ku ga sako game da nasarar shigo da masu amfani.
Na gaba muna buƙatar taswirar ƙungiyoyin mu
Ƙungiyar mai amfani --> ldap_localhost --> Mappers --> Ƙirƙiri
Ƙirƙirar taswira
Saitin abokin ciniki
Wajibi ne don ƙirƙirar abokin ciniki, dangane da Keycloak, wannan aikace-aikacen ne wanda za a ba shi izini daga gare shi. Zan haskaka mahimman mahimman bayanai a cikin hoton allo a ja.
Abokan ciniki -> Ƙirƙiri
Saitin abokin ciniki
Bari mu ƙirƙiri ƙwaƙƙwaran ƙungiyoyi:
Matsakaicin Abokin ciniki -> Ƙirƙiri
Ƙirƙiri iyaka
Kuma ka kafa musu taswira:
Iyalin Abokin ciniki -> ƙungiyoyi -> Mappers -> Ƙirƙiri
Taswira
Ƙara taswirar ƙungiyoyinmu zuwa Tsoffin Matsalolin Abokin Ciniki:
Abokan ciniki -> kubernetes -> Matsakaicin Abokin ciniki -> Ƙimar Abokin Ciniki na Tsoho
Zaba kungiyoyin в Akwai Iyakar Abokin Ciniki, latsa Ƙara zaba
Mun sami sirrin (kuma mu rubuta shi zuwa zaren) wanda zamu yi amfani da shi don izini a cikin Keycloak:
Abokan ciniki -> kubernetes -> Shaida -> Sirrin
Wannan ya kammala saitin, amma ina da kuskure lokacin da, bayan nasarar izini, na sami kuskure 403.
Gyara:
Iyakar Abokin ciniki -> Matsayi -> Mappers -> Ƙirƙiri
Taswira
Lambar rubutun
// add current client-id to token audience
token.addAudience(token.getIssuedFor());
// return token issuer as dummy result assigned to iss again
token.getIssuer();
Ana saita Kubernetes
Muna buƙatar saka inda tushen takardar shaidarmu daga rukunin yanar gizon ya ta'allaka, da kuma inda mai ba da OIDC yake.
Don yin wannan, shirya fayil /etc/kubernetes/manifests/kube-apiserver.yaml
kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Sabunta saitin kubeadm a cikin gungu:
kubeadmconfig
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
saitin wakili-auth
Kuna iya amfani da mai tsaron ƙofar maɓalli don kare aikace-aikacen gidan yanar gizon ku. Baya ga gaskiyar cewa wannan reverse proxy zai ba da izini ga mai amfani kafin ya nuna shafin, zai kuma ƙaddamar da bayanai game da ku zuwa ƙarshen aikace-aikacen a cikin rubutun kai. Don haka, idan aikace-aikacenku yana goyan bayan OpenID, to mai amfani yana da izini nan da nan. Yi la'akari da misalin Kubernetes Dashboard
Shigar da Kubernetes Dashboard
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml
dabi'u_dashboard.yaml
enableInsecureLogin: true
service:
externalPort: 80
rbac:
clusterAdminRole: true
create: true
serviceAccount:
create: true
name: 'dashboard-test'
Saitin izini:
Bari mu ƙirƙiri ClusterRoleBinding wanda zai ba da haƙƙin gudanarwa na gungu (misali ClusterRole cluster-admin) don masu amfani a cikin ƙungiyar DataOPS.
kubectl apply -f rbac.yaml
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dataops_group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: DataOPS
Shigar da mai tsaron ƙofar maɓalli:
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml
dabi'u_proxy.yaml
# Включаем ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
path: /
hosts:
- kubernetes-dashboard.example.org
tls:
- secretName: tls-keycloak
hosts:
- kubernetes-dashboard.example.org
# Говорим где мы будем авторизовываться у OIDC провайдера
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# Имя клиента которого мы создали в Keycloak
ClientID: "kubernetes"
# Secret который я просил записать
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Куда перенаправить в случае успешной авторизации. Формат <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# Пропускаем проверку сертификата, если у нас самоподписанный
skipOpenidProviderTlsVerify: true
# Настройка прав доступа, пускаем на все path если мы в группе DataOPS
rules:
- "uri=/*|groups=DataOPS"
Bayan haka, lokacin da kuke ƙoƙarin zuwa
shigarwa gangway
Don dacewa, zaku iya ƙara hanyar gangway wanda zai haifar da fayil ɗin daidaitawa don kubectl, tare da taimakon wanda zamu shiga Kubernetes ƙarƙashin mai amfani da mu.
helm install --name gangway stable/gangway -f values_gangway.yaml
dabi'u_gangway.yaml
gangway:
# Произвольное имя кластера
clusterName: "my-k8s"
# Где у нас OIDC провайдер
authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
# Теоритически сюда можно добавить groups которые мы замапили
scopes: ["openid", "profile", "email", "offline_access"]
redirectURL: "https://gangway.example.org/callback"
# Имя клиента
clientID: "kubernetes"
# Секрет
clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Если оставить дефолтное значние, то за имя пользователя будет братья <b>Frist name</b> <b>Second name</b>, а при "sub" его логин
usernameClaim: "sub"
# Доменное имя или IP адресс API сервера
apiServerURL: "https://192.168.99.111:8443"
# Включаем Ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
path: /
hosts:
- gangway.example.org
tls:
- secretName: tls-keycloak
hosts:
- gangway.example.org
# Если используем самоподписанный сертификат, то его(открытый корневой сертификат) надо указать.
trustedCACert: |-
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
-----END CERTIFICATE-----
Ga alama wannan. Yana ba ku damar zazzage fayil ɗin daidaitawa nan da nan kuma ku ƙirƙira shi ta amfani da saitin umarni:
source: www.habr.com