He kumu aʻo pōkole pehea e hiki ai iā ʻoe ke hoʻohana iā Keycloak e hoʻopili iā Kubernetes i kāu kikowaena LDAP a hoʻonohonoho i ka lawe ʻana mai o nā mea hoʻohana a me nā hui. E ʻae kēia iā ʻoe e hoʻonohonoho i ka RBAC no kāu mea hoʻohana a hoʻohana i ka auth-proxy e pale aku i ka Kubernetes Dashboard a me nā noi ʻē aʻe ʻaʻole hiki ke hōʻoiaʻiʻo iā lākou iho.
Hoʻokomo Keycloak
E manaʻo mākou ua loaʻa iā ʻoe kahi kikowaena LDAP. Hiki paha iā Active Directory, FreeIPA, OpenLDAP a i ʻole kekahi mea ʻē aʻe. Inā ʻaʻole ʻoe he kikowaena LDAP, a laila ma ke kumu hiki iā ʻoe ke hana i nā mea hoʻohana pololei ma ka interface Keycloak, a i ʻole e hoʻohana i nā mea hoʻolako oidc lehulehu (Google, Github, Gitlab), ʻaneʻane like ka hopena.
ʻO ka mea mua, e hoʻokomo kāua iā Keycloak ponoʻī. Hiki ke hoʻokomo ʻia i kahi kaʻawale a i ʻole pololei i loko o kahi pūʻulu Kubernetes. Ma ke ʻano maʻamau, inā loaʻa iā ʻoe kekahi mau pūʻulu Kubernetes, ʻoi aku ka maʻalahi o ka hoʻokomo ʻokoʻa ʻana. Ma kekahiʻaoʻao hiki iāʻoe ke hoʻohana mau
No ka mālama ʻana i ka ʻikepili Keycloak, pono ʻoe i kahi waihona. ʻO ka paʻamau h2
(mālama ʻia nā ʻikepili āpau ma ka ʻāina), akā hiki nō ke hoʻohana postgres
, mysql
ai ole ia, mariadb
.
Inā hoʻoholo ʻoe e hoʻokomo iā Keycloak ma kahi kaʻawale, e ʻike ʻoe i nā ʻōlelo kikoʻī hou aku
Hoʻonohonoho hui
ʻO ka mea mua, e hana kākou i aupuni hou. ʻO Realm ka wahi o kā mākou noi. Hiki i kēlā me kēia noi ke loaʻa kona aupuni ponoʻī me nā mea hoʻohana like ʻole a me nā hoʻonohonoho mana. Hoʻohana ʻia ka Master realm e Keycloak ponoʻī a he hewa ke hoʻohana ʻana ia mea no kekahi mea ʻē aʻe.
Kui ʻū Hoʻohui aupuni
koho
Value
inoa
kubernetes
Hōʻike Hōʻike
Kubernetes
Inoa Hōʻike HTML
<img src="https://kubernetes.io/images/nav_logo.svg" width="400" >
ʻO nā Kubernetes ma ka paʻamau e nānā inā ua hōʻoia ʻia ka leka uila o ka mea hoʻohana a ʻaʻole paha. Ma muli o ko mākou hoʻohana ʻana i kā mākou kikowaena LDAP ponoʻī, ʻaneʻane e hoʻi mai kēia nānā false
. E hoʻopau i ka hōʻike ʻana o kēia koho ma Kubernetes:
Nā mea kūʻai aku -> enamel -> Mappers -> Ua hōʻoia ʻia ka leka uila (Holoi)
I kēia manawa e hoʻonohonoho i ka hui; e hana i kēia, hele i:
Hui hoohana -> Hoʻohui i ka mea hoʻolako… -> ldap
Eia kekahi laʻana o nā hoʻonohonoho no FreeIPA:
koho
Value
Inoa Hōʻike Console
freeipa.example.org
Mea kūʻai
Red Hat Directory Server
ʻAno UUID LDAP
ipauniqueid
HKH pilina
ldaps://freeipa.example.org
Nā mea hoʻohana DN
cn=users,cn=accounts,dc=example,dc=org
Hoʻopili iā DN
uid=keycloak-svc,cn=users,cn=accounts,dc=example,dc=org
Palapala Hoʻopaʻa
<password>
ʻAe iā Kerberos hōʻoia:
on
Ke aupuni ʻo Kerberos:
EXAMPLE.ORG
Ke poʻo kikowaena:
HTTP/[email protected]
Papa kī:
/etc/krb5.keytab
Mea hoʻohana keycloak-svc
pono e hana mua ʻia ma kā mākou kikowaena LDAP.
I ka hihia o Active Directory, pono ʻoe e koho Mea kūʻai: Active Directory a e hoʻokomo ʻia nā hoʻonohonoho pono i loko o ka palapala.
Kui ʻū Save
I kēia manawa e neʻe kākou:
Hui hoohana -> freeipa.example.org -> Mappers -> Inoa mua
koho
Value
ʻAno Ldap
givenName
I kēia manawa, hiki iā mākou ke hoʻohana i ka palapala ʻāina hui:
Hui hoohana -> freeipa.example.org -> Mappers -> Hoʻoulu
koho
Value
inoa
groups
ʻAno Mapper
group-ldap-mapper
Nā Pūʻulu LDAP DN
cn=groups,cn=accounts,dc=example,dc=org
Hoʻolālā kiʻi ʻana i nā hui mea hoʻohana
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
I kēia manawa ua paʻa ka hoʻonohonoho hui, e neʻe kāua i ka hoʻonohonoho ʻana i ka mea kūʻai.
Hoʻonohonoho mea kūʻai aku
E hana mākou i mea kūʻai hou (kahi noi e loaʻa ai nā mea hoʻohana mai Keycloak). E neʻe kākou:
nā mea mālama mai -> Hoʻoulu
koho
Value
Kānāwai kūwaho
kubernetes
ʻAno komo
confidenrial
URL kumu
http://kubernetes.example.org/
Nā URI hoʻohuli kūpono
http://kubernetes.example.org/*
URL URL
http://kubernetes.example.org/
E hana pū kākou i kahi ākea no nā hui:
Nā mea kūʻai aku -> Hoʻoulu
koho
Value
UAAIIeIA
No template
inoa
groups
Ala hui piha
false
A e hoʻonoho i kahi palapala no lākou:
Nā mea kūʻai aku -> pūʻulu -> Mappers -> Hoʻoulu
koho
Value
inoa
groups
ʻAno Mapper
Group membership
Inoa Koi Token
groups
I kēia manawa pono mākou e ʻae i ka hui palapala ʻāina i kā mākou mea kūʻai aku:
nā mea mālama mai -> 'ōlelo -> Nā mea kūʻai aku -> Palena mea kūʻai aku paʻamau
E koho pūʻulu в Loaʻa nā mea kūʻai akukaomi Hoʻohui i koho ʻia
I kēia manawa e hoʻonohonoho i ka hōʻoia o kā mākou noi, e hele i:
nā mea mālama mai -> 'ōlelo
koho
Value
Hāʻawi ʻia ka ʻae
ON
E paʻi kāua hoola a me kēia ua hoʻopau ʻia ka hoʻonohonoho mea kūʻai aku, i kēia manawa ma ka pā
nā mea mālama mai -> 'ōlelo -> ʻO kaʻike
hiki iā ʻoe ke loaʻa huna a mākou e hoʻohana hou aku ai.
Ke hoʻonohonoho nei i nā Kubernetes
ʻO ka hoʻonohonoho ʻana i nā Kubernetes no ka mana OIDC he mea liʻiliʻi a ʻaʻole paʻakikī loa. ʻO nā mea a pau āu e hana ai, e kau i ka palapala CA o kāu kikowaena OIDC /etc/kubernetes/pki/oidc-ca.pem
a hoʻohui i nā koho kūpono no kube-apiserver.
No ka hana ʻana i kēia, hoʻohou /etc/kubernetes/manifests/kube-apiserver.yaml
maluna o ko oukou mau haku a pau.
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.pem
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Eia kekahi, e hoʻohou i ka kubeadm config i loko o ka pūʻulu i ʻole e nalowale i kēia mau hoʻonohonoho i ka wā e hoʻonui ai:
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /etc/kubernetes/pki/oidc-ca.pem
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Hoʻopau kēia i ka hoʻonohonoho Kubernetes. Hiki iā ʻoe ke hana hou i kēia mau ʻanuʻu ma nā pūʻulu Kubernetes āpau.
ʻAe mua
Ma hope o kēia mau ʻanuʻu, e loaʻa iā ʻoe kahi pūʻulu Kubernetes me ka ʻae OIDC i hoʻonohonoho ʻia. ʻO ka mea wale nō ʻaʻole i loaʻa i kāu mea hoʻohana kahi mea kūʻai aku i hoʻonohonoho ʻia a i kā lākou kubeconfig ponoʻī. No ka hoʻoponopono i kēia pilikia, pono ʻoe e hoʻonohonoho i ka hāʻawi ʻana i ka kubeconfig i nā mea hoʻohana ma hope o ka ʻae ʻana.
No ka hana ʻana i kēia, hiki iā ʻoe ke hoʻohana i nā noi pūnaewele kūikawā e ʻae iā ʻoe e hōʻoia i ka mea hoʻohana a laila hoʻoiho i ka kubeconfig i mākaukau. ʻO kekahi o nā mea maʻalahi
No ka hoʻonohonoho ʻana iā Kuberos, e wehewehe wale i ka template no kubeconfig a holo iā ia me nā ʻāpana aʻe:
kuberos https://keycloak.example.org/auth/realms/kubernetes kubernetes /cfg/secret /cfg/template
No ka ʻike kikoʻī e ʻike
Hiki nō ke hoʻohana
Hiki ke nānā ʻia ka hopena kubeconfig ma ka pūnaewele users[].user.auth-provider.config.id-token
mai kāu kubeconfig i ka palapala ma ka pūnaewele a loaʻa koke kahi transcript.
Hoʻonohonoho i ka RBAC
I ka hoʻonohonoho ʻana iā RBAC, hiki iā ʻoe ke kuhikuhi i ka inoa inoa ʻelua (field name
i ka jwt token), a no kēlā me kēia hui mea hoʻohana (field groups
ma ka hōʻailona jwt). Eia kekahi laʻana o ka hoʻonohonoho ʻana i nā kuleana no kahi hui kubernetes-default-namespace-admins
:
kubernetes-default-namespace-admins.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-admins
namespace: default
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-default-namespace-admins
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-admins
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: kubernetes-default-namespace-admins
Hiki ke loaʻa nā hiʻohiʻona hou aʻe no RBAC ma
Ka hoʻonohonoho ʻana i ka mana-proxy
He papahana kupanaha
dashboard-proxy.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard-proxy
spec:
replicas: 1
template:
metadata:
labels:
app: kubernetes-dashboard-proxy
spec:
containers:
- args:
- --listen=0.0.0.0:80
- --discovery-url=https://keycloak.example.org/auth/realms/kubernetes
- --client-id=kubernetes
- --client-secret=<your-client-secret-here>
- --redirection-url=https://kubernetes-dashboard.example.org
- --enable-refresh-tokens=true
- --encryption-key=ooTh6Chei1eefooyovai5ohwienuquoh
- --upstream-url=https://kubernetes-dashboard.kube-system
- --resources=uri=/*
image: keycloak/keycloak-gatekeeper
name: kubernetes-dashboard-proxy
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
readinessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-proxy
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: kubernetes-dashboard-proxy
type: ClusterIP
Source: www.habr.com