Kab lus no tau sau nrog lub hom phiaj ntawm kev nthuav dav ntawm qhov twb muaj lawm , tab sis tham txog cov yam ntxwv ntawm kev sib txuas tshwj xeeb nrog Microsoft ActiveDirectory, thiab kuj ntxiv rau nws.
Hauv tsab xov xwm no kuv yuav qhia koj yuav ua li cas rau nruab thiab teeb tsa:
- keycloak yog ib qhov project qhib. Uas muab ib qho chaw nkag rau cov ntawv thov. Ua haujlwm nrog ntau cov txheej txheem, suav nrog LDAP thiab OpenID, uas yog qhov txaus siab rau peb.
- Keycloak gatekeeper - daim ntawv thov rov qab tso cai tso cai rau koj los ua ke kev tso cai ntawm Keycloak.
- Gangway - ib daim ntawv thov uas tsim cov config rau kubectl uas koj tuaj yeem nkag rau hauv OpenID thiab txuas mus rau Kubernetes API.
Kev tso cai ua haujlwm li cas hauv Kubernetes.
Peb tuaj yeem tswj hwm cov neeg siv / pab pawg txoj cai siv RBAC, ib pawg ntawm cov ntawv twb tau tsim txog qhov no, Kuv yuav tsis nyob ntawm qhov no kom ntxaws. Qhov teeb meem yog tias koj tuaj yeem siv RBAC txwv cov neeg siv txoj cai, tab sis Kubernetes tsis paub dab tsi txog cov neeg siv. Nws hloov tawm tias peb xav tau tus neeg siv khoom xa khoom hauv Kubernetes. Txhawm rau ua qhov no, peb yuav ntxiv ib tus neeg muab kev pabcuam rau Kuberntes OpenID, uas yuav qhia tau tias tus neeg siv no muaj tiag, thiab Kubernetes nws tus kheej yuav muab txoj cai rau nws.
Kev cob qhia
- Koj yuav xav tau Kubernetes pawg lossis minikube
- Active Directory
- Domains:
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org - Daim ntawv pov thawj rau domains lossis daim ntawv pov thawj tus kheej kos npe
Kuv yuav tsis mus rau hauv kev nthuav dav yuav ua li cas los tsim ib daim ntawv pov thawj tus kheej kos npe; koj yuav tsum tsim 2 daim ntawv pov thawj, qhov no yog lub hauv paus (Certification Authority) thiab tus neeg siv khoom wildcard rau *.example.org domain.
Tom qab koj tau txais / sau cov ntawv pov thawj, koj yuav tsum ntxiv daim ntawv pov thawj tus neeg siv khoom rau Kubernetes; ua qhov no, tsim ib qho zais cia rau nws:
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pemTom ntej no peb yuav siv nws rau peb Ingress controller
Kev teeb tsa ntawm Keycloak
Kuv txiav txim siab tias txoj kev yooj yim tshaj plaws yog siv cov kev daws teeb meem npaj txhij rau qhov no, uas yog cov kab kos duab.
Nruab lub repository thiab hloov kho nws:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo updateTsim cov ntaub ntawv keycloak.yml nrog cov ntsiab lus hauv qab no:
keycloak.yml
keycloak:
# ΠΠΌΡ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡΠ°
username: "test_admin"
# ΠΠ°ΡΠΎΠ»Ρ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡ
password: "admin"
# ΠΡΠΈ ΡΠ»Π°Π³ΠΈ Π½ΡΠΆΠ½Ρ ΡΡΠΎ Π±Ρ ΠΏΠΎΠ·Π²ΠΎΠ»ΠΈΡΡ Π·Π°Π³ΡΡΠΆΠ°ΡΡ Π² Keycloak ΡΠΊΡΠΈΠΏΡΡ ΠΏΡΡΠΌΠΎ ΡΠ΅ΡΠ΅Π· web ΠΌΠΎΡΠ΄Ρ. ΠΡΠΎ Π½Π°ΠΌ
ΠΏΠΎΠ½Π°Π΄ΠΎΠ±ΠΈΡΡΡΡ ΡΡΠΎ Π±Ρ ΠΏΠΎΡΠΈΠ½ΠΈΡΡ ΠΎΠ΄ΠΈΠ½ Π±Π°Π³, ΠΎ ΠΊΠΎΡΠΎΡΠΎΠΌ Π½ΠΈΠΆΠ΅.
extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ ingress, ΡΠΊΠ°Π·ΡΠ²Π°Π΅ΠΌ ΠΈΠΌΡ Ρ
ΠΎΡΡΠ° ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΠΊΠΎΡΠΎΡΡΠΉ ΠΌΡ ΠΏΡΠ΅Π΄Π²Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎ ΡΠΎΡ
ΡΠ°Π½ΠΈΠ»ΠΈ Π² secrets
ingress:
enabled: true
path: /
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.example.org
tls:
- hosts:
- keycloak.example.org
secretName: tls-keycloak
# Keycloak Π΄Π»Ρ ΡΠ²ΠΎΠ΅ΠΉ ΡΠ°Π±ΠΎΡΡ ΡΡΠ΅Π±ΡΠ΅Ρ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
, Π² ΡΠ΅ΡΡΠΎΠ²ΡΡ
ΡΠ΅Π»ΡΡ
Ρ ΡΠ°Π·Π²ΠΎΡΠ°ΡΠΈΠ²Π°Ρ Postgresql ΠΏΡΡΠΌΠΎ Π² Kuberntes, Π² ΠΏΡΠΎΠ΄Π°ΠΊΡΠ΅Π½Π΅ ΡΠ°ΠΊ Π»ΡΡΡΠ΅ Π½Π΅ Π΄Π΅Π»Π°ΡΡ!
persistence:
deployPostgres: true
dbVendor: postgres
postgresql:
postgresUser: keycloak
postgresPassword: ""
postgresDatabase: keycloak
persistence:
enabled: trueKev teeb tsa Federation
Tom ntej no, mus rau lub web interface
Nyob rau sab laug ces kaum nyem Ntxiv realm
Ntsiab
Tus nqi
lub npe
kub
Zaub Lub Npe
Kubernetes
Disable tus neeg siv email kev lees paub kuaj xyuas:
Client scopes β> Email β> Mappers β> Email verified (Delete)
Peb tab tom teeb tsa lub koom haum los import cov neeg siv los ntawm ActiveDirectory, Kuv yuav tawm hauv cov screenshots hauv qab no, kuv xav tias nws yuav pom tseeb dua.
User federation β> Add providerβ¦ β> ldap
Kev teeb tsa Federation
Yog tias txhua yam zoo, ces tom qab nias lub pob Synchronize tag nrho cov neeg siv Koj yuav pom cov lus qhia txog kev vam meej ntawm cov neeg siv.
Tom ntej no peb yuav tsum tau daim ntawv qhia peb pab pawg
User federation -> ldap_localhost -> Mappers -> Tsim
Tsim ib tug mapper
Kev teeb tsa tus neeg siv khoom
Koj yuav tsum tsim ib tus neeg siv khoom, hais txog Keycloak qhov no yog daim ntawv thov uas yuav tau tso cai los ntawm nws. Kuv yuav qhia cov ntsiab lus tseem ceeb hauv liab hauv lub screenshot.
Cov neeg siv khoom -> Tsim
Kev teeb tsa tus neeg siv khoom
Wb tsim ib tug scoupe rau pab pawg:
Client Scopes -> Tsim
Tsim kom muaj kev thaj yeeb
Thiab teeb ib daim ntawv qhia rau lawv:
Client Scopes -> pawg -> Mappers -> Tsim
Daim ntawv qhia
Peb ntxiv daim ntawv qhia ntawm peb pab pawg rau Default Client Scopes:
Client -> kubernetes -> Client Scopes -> Default Client Scopes
Xaiv pawg Π² Muaj Client Scopes, xovxwm Ntxiv xaiv
Peb tau txais cov ntaub ntawv zais cia (thiab sau nws hauv qhov chaw) uas peb yuav siv rau kev tso cai hauv Keycloak:
Client -> kubernetes -> Credentials -> Secret
Qhov no ua tiav qhov teeb tsa, tab sis kuv muaj qhov yuam kev thaum, tom qab kev tso cai ua tiav, kuv tau txais qhov yuam kev 403. .
Kho:
Client Scopes -> luag hauj lwm -> Mappers -> Tsim
Daim ntawv qhia
Script code
// add current client-id to token audience
token.addAudience(token.getIssuedFor());
// return token issuer as dummy result assigned to iss again
token.getIssuer();
Configuring Kubernetes
Peb yuav tsum qhia qhov twg peb daim ntawv pov thawj hauv paus los ntawm qhov chaw nyob, thiab qhov chaw muab kev pabcuam ODC nyob.
Ua li no, hloov cov ntaub ntawv /etc/kubernetes/manifests/kube-apiserver.yaml
kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Hloov kho kubeadm config hauv pawg:
kub config
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Kev teeb tsa auth-proxy
Txhawm rau tiv thaiv koj daim ntawv thov web, koj tuaj yeem siv keycloak gatekeeper. Ntxiv rau qhov tseeb tias qhov rov qab tso cai no yuav tso cai rau tus neeg siv ua ntej qhia nplooj ntawv, nws tseem yuav xa cov ntaub ntawv hais txog koj hauv cov ntawv headers mus rau qhov kawg daim ntawv thov. Yog li, yog tias koj daim ntawv thov txhawb OpenID, tus neeg siv tau tso cai tam sim ntawd. Cia peb saib tus piv txwv ntawm Kubernetes Dashboard
Txhim kho Kubernetes Dashboard
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml
values_dashboard.yaml
enableInsecureLogin: true
service:
externalPort: 80
rbac:
clusterAdminRole: true
create: true
serviceAccount:
create: true
name: 'dashboard-test'
Teeb tsa txoj cai nkag:
Cia peb tsim ClusterRoleBinding uas yuav muab cov cai tswj hwm pawg (tus qauv ClusterRole pawg-admin) rau cov neeg siv hauv pawg DataOPS.
kubectl apply -f rbac.yaml
rbac yam
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dataops_group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: DataOPS
Txhim kho keycloak gatekeeper:
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml
values_proxy.yaml
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
path: /
hosts:
- kubernetes-dashboard.example.org
tls:
- secretName: tls-keycloak
hosts:
- kubernetes-dashboard.example.org
# ΠΠΎΠ²ΠΎΡΠΈΠΌ Π³Π΄Π΅ ΠΌΡ Π±ΡΠ΄Π΅ΠΌ Π°Π²ΡΠΎΡΠΈΠ·ΠΎΠ²ΡΠ²Π°ΡΡΡΡ Ρ OIDC ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅ΡΠ°
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# ΠΠΌΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠ° ΠΊΠΎΡΠΎΡΠΎΠ³ΠΎ ΠΌΡ ΡΠΎΠ·Π΄Π°Π»ΠΈ Π² Keycloak
ClientID: "kubernetes"
# Secret ΠΊΠΎΡΠΎΡΡΠΉ Ρ ΠΏΡΠΎΡΠΈΠ» Π·Π°ΠΏΠΈΡΠ°ΡΡ
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ΠΡΠ΄Π° ΠΏΠ΅ΡΠ΅Π½Π°ΠΏΡΠ°Π²ΠΈΡΡ Π² ΡΠ»ΡΡΠ°Π΅ ΡΡΠΏΠ΅ΡΠ½ΠΎΠΉ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠΈ. Π€ΠΎΡΠΌΠ°Ρ <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# ΠΡΠΎΠΏΡΡΠΊΠ°Π΅ΠΌ ΠΏΡΠΎΠ²Π΅ΡΠΊΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°, Π΅ΡΠ»ΠΈ Ρ Π½Π°Ρ ΡΠ°ΠΌΠΎΠΏΠΎΠ΄ΠΏΠΈΡΠ°Π½Π½ΡΠΉ
skipOpenidProviderTlsVerify: true
# ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° ΠΏΡΠ°Π² Π΄ΠΎΡΡΡΠΏΠ°, ΠΏΡΡΠΊΠ°Π΅ΠΌ Π½Π° Π²ΡΠ΅ path Π΅ΡΠ»ΠΈ ΠΌΡ Π² Π³ΡΡΠΏΠΏΠ΅ DataOPS
rules:
- "uri=/*|groups=DataOPS"
Tom qab ntawd, thaum koj sim nkag rau hauv , kev xa rov qab mus rau Keycloak yuav tshwm sim thiab yog tias kev tso cai ua tiav, peb yuav raug coj mus rau Dashboard twb tau nkag rau hauv.
Gangway installation
Txhawm rau kom yooj yim, koj tuaj yeem ntxiv qhov gangway uas yuav tsim cov ntaub ntawv config rau kubectl, nrog kev pab los ntawm peb yuav nkag mus rau Kubernetes hauv qab peb cov neeg siv.
helm install --name gangway stable/gangway -f values_gangway.yaml
values_gangway.yaml
gangway:
# ΠΡΠΎΠΈΠ·Π²ΠΎΠ»ΡΠ½ΠΎΠ΅ ΠΈΠΌΡ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°
clusterName: "my-k8s"
# ΠΠ΄Π΅ Ρ Π½Π°Ρ OIDC ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅Ρ
authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
# Π’Π΅ΠΎΡΠΈΡΠΈΡΠ΅ΡΠΊΠΈ ΡΡΠ΄Π° ΠΌΠΎΠΆΠ½ΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡΡ groups ΠΊΠΎΡΠΎΡΡΠ΅ ΠΌΡ Π·Π°ΠΌΠ°ΠΏΠΈΠ»ΠΈ
scopes: ["openid", "profile", "email", "offline_access"]
redirectURL: "https://gangway.example.org/callback"
# ΠΠΌΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠ°
clientID: "kubernetes"
# Π‘Π΅ΠΊΡΠ΅Ρ
clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ΠΡΠ»ΠΈ ΠΎΡΡΠ°Π²ΠΈΡΡ Π΄Π΅ΡΠΎΠ»ΡΠ½ΠΎΠ΅ Π·Π½Π°ΡΠ½ΠΈΠ΅, ΡΠΎ Π·Π° ΠΈΠΌΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ Π±ΡΠ΄Π΅Ρ Π±ΡΠ°ΡΡΡ <b>Frist name</b> <b>Second name</b>, Π° ΠΏΡΠΈ "sub" Π΅Π³ΠΎ Π»ΠΎΠ³ΠΈΠ½
usernameClaim: "sub"
# ΠΠΎΠΌΠ΅Π½Π½ΠΎΠ΅ ΠΈΠΌΡ ΠΈΠ»ΠΈ IP Π°Π΄ΡΠ΅ΡΡ API ΡΠ΅ΡΠ²Π΅ΡΠ°
apiServerURL: "https://192.168.99.111:8443"
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ Ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
path: /
hosts:
- gangway.example.org
tls:
- secretName: tls-keycloak
hosts:
- gangway.example.org
# ΠΡΠ»ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ ΡΠ°ΠΌΠΎΠΏΠΎΠ΄ΠΏΠΈΡΠ°Π½Π½ΡΠΉ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ, ΡΠΎ Π΅Π³ΠΎ(ΠΎΡΠΊΡΡΡΡΠΉ ΠΊΠΎΡΠ½Π΅Π²ΠΎΠΉ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ) Π½Π°Π΄ΠΎ ΡΠΊΠ°Π·Π°ΡΡ.
trustedCACert: |-
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
-----END CERTIFICATE-----
Nws zoo li no. Tso cai rau koj tam sim rub tawm cov ntaub ntawv config thiab tsim nws siv cov lus txib:
Tau qhov twg los: www.hab.com