Ua kākau ʻia kēia ʻatikala e hoʻonui i ka mua , akā kamaʻilio e pili ana i nā hiʻohiʻona o ka puʻupuʻu me Microsoft ActiveDirectory, a hoʻohui pū iā ia.
Ma kēia ʻatikala e haʻi wau iā ʻoe pehea e hoʻouka ai a hoʻonohonoho:
- ʻahu kī he papahana kumu hāmama. Hāʻawi ia i kahi helu komo no nā noi. Hana me nā protocols he nui, me LDAP a me OpenID a mākou e makemake ai.
- kiaʻi puka kī - Reverse Proxy Application e hiki ai iā ʻoe ke hoʻohui i ka ʻae ma o Keycloak.
- alahele - he palapala noi e hoʻopuka ana i ka config no kubectl e hiki ai iā ʻoe ke komo a hoʻopili i ka Kubernetes API ma o OpenID.
Pehea e hana ai nā ʻae ma Kubernetes.
Hiki iā mākou ke hoʻokele i nā kuleana o ka mea hoʻohana / hui me ka hoʻohana ʻana iā RBAC, ua hana ʻia kahi pūʻulu o nā ʻatikala e pili ana i kēia, ʻaʻole wau e noʻonoʻo i kēia. ʻO ka pilikia, hiki iā ʻoe ke hoʻohana i ka RBAC e kaupalena i nā kuleana mea hoʻohana, akā ʻaʻole ʻike ʻo Kubernetes i kekahi mea e pili ana i nā mea hoʻohana. ʻIke ʻia e pono mākou i kahi mīkini lawe mea hoʻohana ma Kubernetes. No ka hana ʻana i kēia, e hoʻohui mākou i kahi mea hoʻolako iā Kuberntes OpenID, ka mea e ʻōlelo ai aia maoli kēlā mea hoʻohana, a ʻo Kubernetes ponoʻī e hāʻawi iā ia i nā kuleana.
ʻO ka hoʻomākaukauʻana
- Pono ʻoe i kahi hui Kubernetes a i ʻole minikube
- Kuhikuhi Kuhi
- Nā kāʻei kapu:
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org - Palapala no nā kāʻei kua a i ʻole palapala hōʻailona pūlima
ʻAʻole wau e noʻonoʻo pehea e hana ai i kahi palapala hōʻoia ponoʻī, pono ʻoe e hana i nā palapala 2, ʻo ia ke kumu (Certificate Authority) a me ka mea kūʻai aku wildcard no ka *.example.org domain
Ma hope o ka loaʻa ʻana o nā palapala hōʻoia, pono e hoʻohui ʻia ka mea kūʻai aku iā Kubernetes, no kēia hana mākou i kahi huna no ia:
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pemA laila, e hoʻohana mākou iā ia no kā mākou mea hoʻokele Ingress.
Hoʻokomo Keycloak
Ua hoʻoholo wau ʻo ke ala maʻalahi loa ka hoʻohana ʻana i nā hopena i mākaukau no kēia, ʻo ia hoʻi nā pakuhi helm.
E hoʻouka i ka waihona a hoʻonui iā ia:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo updateE hana i kahi faila keycloak.yml me kēia ʻike:
keycloak.yml
keycloak:
# Имя администратора
username: "test_admin"
# Пароль администратор
password: "admin"
# Эти флаги нужны что бы позволить загружать в Keycloak скрипты прямо через web морду. Это нам
понадобиться что бы починить один баг, о котором ниже.
extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
# Включаем ingress, указываем имя хоста и сертификат который мы предварительно сохранили в secrets
ingress:
enabled: true
path: /
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.example.org
tls:
- hosts:
- keycloak.example.org
secretName: tls-keycloak
# Keycloak для своей работы требует базу данных, в тестовых целях я разворачиваю Postgresql прямо в Kuberntes, в продакшене так лучше не делать!
persistence:
deployPostgres: true
dbVendor: postgres
postgresql:
postgresUser: keycloak
postgresPassword: ""
postgresDatabase: keycloak
persistence:
enabled: trueHoʻonohonoho hui
A laila, e hele i ka ʻaoʻao pūnaewele
Kaomi ma ka ʻaoʻao hema Hoʻohui aupuni
Key
Value
inoa
'ōlelo
Hōʻike Hōʻike
Kubernetes
Hoʻopau i ka hōʻoia leka uila mea hoʻohana:
Nā ʻāpana o nā mea kūʻai aku -> Email -> Mappers -> Email i hōʻoia ʻia (Delete)
Hoʻonohonoho mākou i ka hui e hoʻokomo i nā mea hoʻohana mai ActiveDirectory, e waiho wau i nā screenshots ma lalo, manaʻo wau e ʻoi aku ka maʻalahi.
Huihui mea hoʻohana -> Hoʻohui mea hoʻolako… -> ldap
Hoʻonohonoho hui
Inā maikaʻi nā mea a pau, a laila ma hope o ke kaomi ʻana i ke pihi Hoʻopili i nā mea hoʻohana a pau e ʻike ʻoe i kahi leka e pili ana i ka lawe ʻana mai o nā mea hoʻohana.
A laila pono mākou e palapala i kā mākou hui
Huihui mea hoʻohana -> ldap_localhost -> Mappers -> Hana
Ke hana ʻana i kahi palapala palapala
Hoʻonohonoho mea kūʻai aku
Pono e hana i kahi mea kūʻai aku, ma ke ʻano o Keycloak, he noi kēia e ʻae ʻia mai ia. E hōʻike aku au i nā mea koʻikoʻi ma ke kiʻi ʻulaʻula.
Nā mea kūʻai aku -> Hana
Hoʻonohonoho mea kūʻai aku
E hana kākou i ka scoupe no nā hui:
ʻO nā mea kūʻai aku —> Hana
Hana i ka laulā
A e hoʻonoho i kahi palapala no lākou:
Nā Kūlana o nā mea kūʻai aku -> pūʻulu -> Mappers -> Hana
Mapper
Hoʻohui i ka palapala ʻāina o kā mākou hui i ka Default Client Scopes:
Nā mea kūʻai aku —> kubernetes —> Nā Kikowaena o nā mea kūʻai aku —> Nā mākau mea kūʻai aku
E koho pūʻulu в Loaʻa nā mea kūʻai akukaomi Hoʻohui i koho ʻia
Loaʻa iā mākou ka mea huna (a kākau iā ia i ke kaula) a mākou e hoʻohana ai no ka ʻae ʻana ma Keycloak:
Nā mea kūʻai aku —> kubernetes —> Hōʻoiaʻiʻo —> Mea huna
Hoʻopau kēia i ka hoʻonohonoho, akā ua hewa wau i ka wā, ma hope o ka ʻae ʻia ʻana, loaʻa iaʻu kahi hewa 403. .
Hoʻoponopono:
Nā Manaʻo o nā mea kūʻai aku -> nā kuleana -> Mappers -> Hana
Palapala ʻāina
Kāhea palapala
// add current client-id to token audience
token.addAudience(token.getIssuedFor());
// return token issuer as dummy result assigned to iss again
token.getIssuer();
Ke hoʻonohonoho nei i nā Kubernetes
Pono mākou e hōʻike i kahi e waiho ai kā mākou palapala kumu mai ka pūnaewele, a me kahi o ka mea hāʻawi OIDC.
No ka hana ʻana i kēia, hoʻoponopono i ka faila /etc/kubernetes/manifests/kube-apiserver.yaml
kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Hoʻohou i ka kubeadm config i ka pūʻulu:
kubeadmconfig
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Ka hoʻonohonoho ʻana i ka mana-proxy
Hiki iā ʻoe ke hoʻohana i ka kiaʻi puka kīʻaha e pale i kāu noi pūnaewele. Ma waho aʻe o ka ʻoiaʻiʻo e ʻae kēia mea hoʻololi hope i ka mea hoʻohana ma mua o ka hōʻike ʻana i ka ʻaoʻao, e hāʻawi pū i ka ʻike e pili ana iā ʻoe i ka noi hope ma nā poʻo. No laila, inā kākoʻo kāu noi iā OpenID, a laila ʻae koke ʻia ka mea hoʻohana. E noʻonoʻo i ka laʻana o Kubernetes Dashboard
Ke hoʻokomo nei i ka papa kuhikuhi Kubernetes
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml
values_dashboard.yaml
enableInsecureLogin: true
service:
externalPort: 80
rbac:
clusterAdminRole: true
create: true
serviceAccount:
create: true
name: 'dashboard-test'
Ka hoʻonohonoho ʻana i nā kuleana komo:
E hana mākou i kahi ClusterRoleBinding e hāʻawi i nā kuleana admin cluster (clusterRole cluster-admin maʻamau) no nā mea hoʻohana i ka hui DataOPS.
kubectl apply -f rbac.yaml
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dataops_group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: DataOPS
E hoʻouka i ka mea mālama puka kī:
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml
values_proxy.yaml
# Включаем ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
path: /
hosts:
- kubernetes-dashboard.example.org
tls:
- secretName: tls-keycloak
hosts:
- kubernetes-dashboard.example.org
# Говорим где мы будем авторизовываться у OIDC провайдера
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# Имя клиента которого мы создали в Keycloak
ClientID: "kubernetes"
# Secret который я просил записать
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Куда перенаправить в случае успешной авторизации. Формат <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# Пропускаем проверку сертификата, если у нас самоподписанный
skipOpenidProviderTlsVerify: true
# Настройка прав доступа, пускаем на все path если мы в группе DataOPS
rules:
- "uri=/*|groups=DataOPS"
Ma hope o kēlā, ke hoʻāʻo ʻoe e hele i , e hoʻihoʻi ʻia mākou i Keycloak a inā loaʻa ka mana kūleʻa e hele mākou i ka Dashboard i hoʻopaʻa ʻia.
hoʻokomo ʻana i nā alaloa
No ka maʻalahi, hiki iā ʻoe ke hoʻohui i kahi gangway e hoʻopuka i kahi faila config no kubectl, me ke kōkua o mākou e komo ai i Kubernetes ma lalo o kā mākou mea hoʻohana.
helm install --name gangway stable/gangway -f values_gangway.yaml
values_gangway.yaml
gangway:
# Произвольное имя кластера
clusterName: "my-k8s"
# Где у нас OIDC провайдер
authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
# Теоритически сюда можно добавить groups которые мы замапили
scopes: ["openid", "profile", "email", "offline_access"]
redirectURL: "https://gangway.example.org/callback"
# Имя клиента
clientID: "kubernetes"
# Секрет
clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Если оставить дефолтное значние, то за имя пользователя будет братья <b>Frist name</b> <b>Second name</b>, а при "sub" его логин
usernameClaim: "sub"
# Доменное имя или IP адресс API сервера
apiServerURL: "https://192.168.99.111:8443"
# Включаем Ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
path: /
hosts:
- gangway.example.org
tls:
- secretName: tls-keycloak
hosts:
- gangway.example.org
# Если используем самоподписанный сертификат, то его(открытый корневой сертификат) надо указать.
trustedCACert: |-
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
-----END CERTIFICATE-----
Ua like me keia. Hāʻawi iā ʻoe e hoʻoiho koke i ka faila config a hoʻohua iā ia me ka hoʻohana ʻana i kahi hoʻonohonoho o nā kauoha:
Source: www.habr.com