Mwen prezante atansyon ou yon leson patikilye pou jenere aksè nan yon gwoup Kubernetes lè l sèvi avèk Dex, dex-k8s-authenticator ak GitHub.
Mem lokal ki soti nan chat Kubernetes nan lang Ris la
Entwodiksyon
Nou itilize Kubernetes pou kreye anviwònman dinamik pou ekip devlopman ak QA. Se konsa, nou vle ba yo aksè nan gwoup la pou tou de tablodbò a ak kubectl. Kontrèman ak OpenShift, vaniy Kubernetes pa gen otantifikasyon natif natal, kidonk nou itilize zouti twazyèm pati pou sa.
Nan konfigirasyon sa a nou itilize:
- - aplikasyon entènèt pou jenere konfigirasyon kubectl
- — Founisè OpenID Connect
- GitHub - tou senpleman paske nou itilize GitHub nan konpayi nou an
Nou te eseye sèvi ak Google OIDC, men malerezman nou kòmanse yo ak gwoup, kidonk entegrasyon an ak GitHub adapte nou byen. San kat gwoup, li p ap posib pou kreye règleman RBAC ki baze sou gwoup.
Se konsa, ki jan pwosesis otorizasyon Kubernetes nou an travay nan yon reprezantasyon vizyèl:
Pwosesis otorizasyon
Yon ti kras plis detay ak pwen pa pwen:
- Itilizatè konekte nan dex-k8s-authenticator (
login.k8s.example.com) - dex-k8s-authenticator voye demann lan bay Dex (
dex.k8s.example.com) - Dex redireksyon nan paj la konekte GitHub
- GitHub jenere enfòmasyon otorizasyon ki nesesè yo epi retounen li bay Dex
- Dex pase enfòmasyon yo resevwa bay dex-k8s-authenticator
- Itilizatè a resevwa yon siy OIDC nan GitHub
- dex-k8s-authenticator ajoute siy nan kubeconfig
- kubectl pase siy la bay KubeAPIServer
- KubeAPIServer retounen aksè nan kubectl ki baze sou siy ki pase a
- Itilizatè a jwenn aksè nan kubectl
Aksyon preparatwa
Natirèlman, nou deja gen yon gwoup Kubernetes enstale (k8s.example.com), epi tou li vini ak HELM pre-enstale. Nou gen tou yon òganizasyon sou GitHub (super-org).
Si ou pa gen HELM, enstale li .
Premyèman, nou bezwen mete kanpe GitHub.
Ale nan paj paramèt òganizasyon an, (https://github.com/organizations/super-org/settings/applications) epi kreye yon nouvo aplikasyon (Applicasyon OAuth Otorize):
Kreye yon nouvo aplikasyon sou GitHub
Ranpli jaden yo ak URL ki nesesè yo, pou egzanp:
- URL paj dakèy:
https://dex.k8s.example.com - URL apèl otorizasyon:
https://dex.k8s.example.com/callback
Fè atansyon ak lyen, li enpòtan pou pa pèdi koupe.
An repons a yon fòm ranpli, GitHub pral jenere Client ID и Client secret, kenbe yo nan yon kote ki an sekirite, yo pral itil nou (pa egzanp, nou itilize pou estoke sekrè):
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
Prepare dosye DNS pou subdomains login.k8s.example.com и dex.k8s.example.com, osi byen ke sètifika SSL pou antre.
Ann kreye sètifika SSL:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
ClusterIssuer ak tit le-clusterissuer ta dwe deja egziste, men si se pa sa, kreye li lè l sèvi avèk HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOFKonfigirasyon KubeAPIServer
Pou kubeAPIServer travay, ou bezwen konfigirasyon OIDC epi mete ajou gwoup la:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yesNou itilize pou deplwaye grap, men sa a travay menm jan an pou .
Dex konfigirasyon ak dex-k8s-otantifikatè
Pou Dex travay, ou bezwen gen yon sètifika ak yon kle nan men mèt Kubernetes, ann jwenn li soti nan la:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----Ann klonaj depo dex-k8s-authenticator:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/Lè l sèvi avèk fichye valè, nou ka konfigirasyon varyab pou nou .
Ann dekri konfigirasyon an pou Dex:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
Ak pou dex-k8s-authenticator:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOFEnstale Dex ak dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticatorAnn tcheke fonksyonalite sèvis yo (Dex ta dwe retounen kòd 400, ak dex-k8s-authenticator ta dwe retounen kòd 200):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200Konfigirasyon RBAC
Nou kreye yon ClusterRole pou gwoup la, nan ka nou an ak aksè sèlman pou lekti:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOFAnn kreye yon konfigirasyon pou ClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOFKoulye a, nou pare pou tès la.
Tès yo
Ale nan paj login (https://login.k8s.example.com) epi konekte ak kont GitHub ou a:
Paj konekte
Paj konekte redireksyon sou GitHub
Swiv enstriksyon yo pwodwi pou jwenn aksè
Apre kopye-kole soti nan paj wèb la, nou ka itilize kubectl pou jere resous gwoup nou yo:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
Epi li travay, tout itilizatè GitHub nan òganizasyon nou an ka wè resous epi konekte nan gous, men yo pa gen dwa chanje yo.
Sous: www.habr.com