M na-ewetara gị nkuzi nkuzi maka ịmepụta ohere ịnweta ụyọkọ Kubernetes site na iji Dex, dex-k8s-authenticator na GitHub.
Meme obodo sitere na Kubernetes asụsụ Rọshịa na-akparịta ụka
Okwu Mmalite
Anyị na-eji Kubernetes mepụta gburugburu ebe dị ike maka mmepe na otu QA. Yabụ na anyị chọrọ inye ha ohere ịnweta ụyọkọ maka ma dashboard na kubectl. N'adịghị ka OpenShift, vanilla Kubernetes enweghị nyocha nke ala, yabụ anyị na-eji ngwaọrụ ndị ọzọ maka nke a.
Na nhazi a anyị na-eji:
dex-k8s-onye nyocha - ngwa weebụ maka ịmepụta kubectl configdex - Onye na-eweta njikọ OpenID- GitHub - naanị n'ihi na anyị na-eji GitHub na ụlọ ọrụ anyị
Anyị gbalịrị iji Google OIDC, mana ọ dị nwute na anyị
Yabụ, kedu ka usoro ikike Kubernetes si arụ ọrụ na ihe ngosi anya:
Usoro ikike
Obere nkọwa na isi ihe:
- Onye ọrụ na-abanye na dex-k8s-authenticator (
login.k8s.example.com
) - dex-k8s-authenticator zigara Dex arịrịọ ahụ (
dex.k8s.example.com
) - Dex na-atụgharị gaa na ibe nbanye GitHub
- GitHub na-ewepụta ozi ikike dị mkpa wee weghachi ya na Dex
- Dex na-ebufe ozi enwetara na dex-k8s-authenticator
- Onye ọrụ na-enweta akara OIDC sitere na GitHub
- dex-k8s-authenticator na-agbakwunye akara na kubeconfig
- kubectl na-enyefe akara ngosi ahụ na KubeAPIServer
- KubeAPISserver na-eweghachite ohere na kubectl dabere na akara agafere
- Onye ọrụ na-enweta ohere site na kubectl
Ememe nkwadebe
N'ezie, anyị etinyelarị ụyọkọ Kubernetes (k8s.example.com
), na-abịakwa na HELM etinyegoro ya. Anyị nwekwara nzukọ na GitHub (super-org).
Ọ bụrụ na ịnweghị HELM, tinye ya
Mbụ anyị kwesịrị ịtọ GitHub.
Gaa na ibe ntọala nhazi, (https://github.com/organizations/super-org/settings/applications
) wee mepụta ngwa ọhụrụ (Anwere ikike OAuth ngwa):
Mepụta ngwa ọhụrụ na GitHub
Jupụta URL ndị dị mkpa, dịka ọmụmaatụ:
- URL ibe:
https://dex.k8s.example.com
- URL ịkpọghachi ikike:
https://dex.k8s.example.com/callback
Kpachara anya na njikọ, ọ dị mkpa ka ị ghara ida slashes.
Na nzaghachi na ụdị emechara, GitHub ga-emepụta Client ID
и Client secret
, Debe ha na ebe nchekwa, ha ga-abara anyị uru (dịka ọmụmaatụ, anyị na-eji
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
Kwadebe ndekọ DNS maka subdomains login.k8s.example.com
и dex.k8s.example.com
, yana asambodo SSL maka ntinye.
Ka anyị mepụta asambodo SSL:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
Ndị na-enye ụyọkọ nwere aha le-clusterissuer
kwesịrị ịdị adị, ma ọ bụrụ na ọ bụghị, mepụta ya site na iji HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOF
Nhazi KubeAPISserver
Ka kubeAPIServer rụọ ọrụ, ịkwesịrị ịhazi OIDC wee melite ụyọkọ:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yes
Anyị na -eji
Nhazi Dex na dex-k8s-authenticator
Ka Dex rụọ ọrụ, ịkwesịrị ịnwe asambodo na igodo sitere na nna ukwu Kubernetes, ka anyị si ebe ahụ nweta ya:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
Ka anyị mechie ebe nchekwa dex-k8s-authenticator:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/
N'iji faịlụ ụkpụrụ, anyị nwere ike hazie mgbanwe maka anyị
Ka anyị kọwaa nhazi maka Dex:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
Na maka dex-k8s-authenticator:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOF
Wụnye Dex na dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticator
Ka anyị lelee arụmọrụ nke ọrụ ahụ (Dex kwesịrị iweghachi koodu 400, yana dex-k8s-authenticator kwesịrị ịlaghachi koodu 200):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200
Nhazi RBAC
Anyị na-emepụta ClusterRole maka otu ahụ, n'ọnọdụ anyị nwere ịnweta naanị ịgụ:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOF
Ka anyị mepụta nhazi maka ClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOF
Ugbu a, anyị dị njikere maka ule.
Ule
Gaa na ibe nbanye (https://login.k8s.example.com
) wee banye na iji akaụntụ GitHub gị:
Nbanye ibe
Atụgharịrị ibe nbanye na GitHub
Soro ntuziaka emepụtara ka ịnweta ohere
Ka emechara detuo ihe site na ibe weebụ, anyị nwere ike iji kubectl jikwaa akụrụngwa ụyọkọ anyị:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
Ọ na-arụkwa ọrụ, ndị ọrụ GitHub niile nọ na nzukọ anyị nwere ike ịhụ akụrụngwa wee banye na pọd, mana ha enweghị ikike ịgbanwe ha.
isi: www.habr.com