Kuv nthuav qhia rau koj cov lus qhia rau kev tsim kev nkag mus rau Kubernetes pawg siv Dex, dex-k8s-authenticator thiab GitHub.
Hauv zos meme los ntawm Lavxias-lus Kubernetes tham hauv
Taw qhia
Peb siv Kubernetes los tsim ib puag ncig zoo rau kev txhim kho thiab pab pawg QA. Yog li peb xav muab lawv nkag mus rau pawg rau ob qho tib si dashboard thiab kubectl. Tsis zoo li OpenShift, vanilla Kubernetes tsis muaj kev lees paub ib txwm muaj, yog li peb siv cov cuab yeej thib peb rau qhov no.
Hauv qhov kev teeb tsa no peb siv:
- - daim ntawv thov web rau tsim kubectl config
- - OpenID Connect tus muab kev pabcuam
- GitHub - tsuas yog vim peb siv GitHub hauv peb lub tuam txhab
Peb sim siv Google ODC, tab sis hmoov tsis peb pib lawv nrog pab pawg, yog li kev koom ua ke nrog GitHub haum rau peb zoo heev. Yog tias tsis muaj daim ntawv qhia pab pawg, nws yuav tsis tuaj yeem tsim RBAC cov cai raws li pab pawg.
Yog li, peb cov txheej txheem kev tso cai Kubernetes ua haujlwm li cas hauv qhov pom kev sawv cev:
Txoj kev tso cai
Ib me ntsis ntxiv thiab taw tes los ntawm point:
- Cov neeg siv nkag mus rau hauv dex-k8s-authenticator (
login.k8s.example.com) - dex-k8s-authenticator xa mus rau qhov kev thov rau Dex (
dex.k8s.example.com) - Dex redirects rau GitHub tus ID nkag mus nplooj ntawv
- GitHub tsim cov ntaub ntawv tso cai tsim nyog thiab xa rov qab rau Dex
- Dex hla cov ntaub ntawv tau txais mus rau dex-k8s-authenticator
- Tus neeg siv tau txais ODC token los ntawm GitHub
- dex-k8s-authenticator ntxiv token rau kubeconfig
- kubectl dhau lub token rau KubeAPIServer
- KubeAPIServer rov qab nkag mus rau kubectl raws li tus lej token
- Tus neeg siv tau txais kev nkag los ntawm kubectl
Npaj ua tej yam
Tau kawg, peb twb muaj Kubernetes pawg nruab (k8s.example.com), thiab kuj tuaj nrog HELM pre-installed. Peb kuj muaj ib lub koom haum ntawm GitHub (super-org).
Yog tias koj tsis muaj HELM, nruab nws .
Ua ntej peb yuav tsum teeb tsa GitHub.
Mus rau nplooj ntawv teeb tsa lub koom haum, (https://github.com/organizations/super-org/settings/applications) thiab tsim ib daim ntawv thov tshiab (Authorized OAuth App):
Tsim ib daim ntawv thov tshiab ntawm GitHub
Sau rau hauv cov teb nrog qhov tsim nyog URLs, piv txwv li:
- Lub vev xaib URL:
https://dex.k8s.example.com - Tso cai callback URL:
https://dex.k8s.example.com/callback
Ceev faj nrog kev sib txuas, nws yog ib qho tseem ceeb kom tsis txhob poob slashes.
Hauv kev teb rau daim ntawv ua tiav, GitHub yuav tsim Client ID ΠΈ Client secret, khaws cia rau hauv qhov chaw nyab xeeb, lawv yuav muaj txiaj ntsig rau peb (piv txwv li, peb siv rau khaws cia secrets):
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
Npaj DNS cov ntaub ntawv rau subdomains login.k8s.example.com ΠΈ dex.k8s.example.com, nrog rau SSL daim ntawv pov thawj rau ingress.
Cia peb tsim SSL daim ntawv pov thawj:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
ClusterIssuer nrog lub npe le-clusterissuer yuav tsum muaj lawm, tab sis yog tsis yog, tsim nws siv HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOFKubeAPIServer configuration
Txhawm rau kubeAPIServer ua haujlwm, koj yuav tsum teeb tsa ODC thiab hloov kho pawg:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yesPeb siv rau deploying pawg, tab sis qhov no ua haujlwm zoo sib xws rau .
Dex configuration thiab dex-k8s-authenticator
Txhawm rau Dex ua haujlwm, koj yuav tsum muaj daim ntawv pov thawj thiab tus yuam sij los ntawm Kubernetes tus tswv, cia peb tau txais los ntawm qhov ntawd:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----Wb clone lub dex-k8s-authenticator repository:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/Siv cov ntaub ntawv tseem ceeb, peb tuaj yeem hloov kho qhov hloov pauv rau peb .
Cia peb piav qhia txog kev teeb tsa rau Dex:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
Thiab rau dex-k8s-authenticator:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOFNruab Dex thiab dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticatorCia peb kuaj xyuas qhov ua haujlwm ntawm cov kev pabcuam (Dex yuav tsum xa rov qab code 400, thiab dex-k8s-authenticator yuav tsum xa rov qab code 200):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200RBAC configuration
Peb tsim ClusterRole rau pab pawg, hauv peb rooj plaub nrog kev nyeem nkaus xwb:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOFCia peb tsim ib qho kev teeb tsa rau ClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOFTam sim no peb npaj txhij rau kev sim.
Kev sim
Mus rau nplooj ntawv nkag (https://login.k8s.example.com) thiab nkag mus siv koj tus lej GitHub:
ID nkag mus nplooj
ID nkag mus nplooj redirected rau GitHub
Ua raws li cov lus qhia tsim los kom nkag tau
Tom qab luam tawm los ntawm nplooj ntawv web, peb tuaj yeem siv kubectl los tswj peb cov peev txheej pawg:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
Thiab nws ua haujlwm, txhua tus neeg siv GitHub hauv peb lub koom haum tuaj yeem pom cov peev txheej thiab nkag mus rau hauv pods, tab sis lawv tsis muaj cai hloov lawv.
Tau qhov twg los: www.hab.com