Obere nkuzi maka otu esi eji Keycloak jikọọ Kubernetes na sava LDAP gị wee guzobe mbubata nke ndị ọrụ na otu. Nke a ga-enye gị ohere ịtọlite RBAC maka ndị ọrụ gị wee jiri auth-proxy chebe Kubernetes Dashboard na ngwa ndị ọzọ na-amaghị ka e si enye ikike.
Ntinye mkpuchi mkpuchi
Ka anyị were ya na ị nweela ihe nkesa LDAP. Ọ nwere ike ịbụ Active Directory, FreeIPA, OpenLDAP ma ọ bụ ihe ọ bụla. Ọ bụrụ na ịnweghị sava LDAP, yabụ na ụkpụrụ ị nwere ike ịmepụta ndị ọrụ ozugbo na interface Keycloak, ma ọ bụ jiri ndị na-enye oidc ọha (Google, Github, Gitlab), nsonaazụ ga-abụ otu ihe ahụ.
Nke mbụ, ka anyị wụnye Keycloak n'onwe ya, enwere ike ịme nrụnye ahụ iche, ma ọ bụ ozugbo na ụyọkọ Kubernetes, dịka iwu, ọ bụrụ na ị nwere ọtụtụ ụyọkọ Kubernetes, ọ ga-adị mfe ịwụnye ya iche. N'aka nke ọzọ, ị nwere ike iji mgbe niile
Iji chekwaa data Keycloak, ị ga-achọ nchekwa data. Ihe ndabara bụ h2
(A na-echekwa data niile na mpaghara), mana enwere ike iji ya postgres
, mysql
ma ọ bụ mariadb
.
Ọ bụrụ na ị ka na-ekpebi ịwụnye Keycloak iche iche, ị nwere ike ịhụ ntuziaka zuru ezu karị na
Ntọala Federation
Nke mbụ, ka anyị mepụta mpaghara ọhụrụ. Ọchịchị bụ oghere nke ngwa anyị. Ngwa ọ bụla nwere ike ịnwe mpaghara nke ya yana ndị ọrụ dị iche iche yana ntọala ikike. A na-eji Keycloak n'onwe ya na-eji ya eme ihe maka ihe ọ bụla ọzọ bụ ihe ọjọọ.
Pịpụ Tinye alaeze
nhọrọ
uru
aha
kubernetes
Aha ngosi
Kubernetes
Aha ngosi HTML
<img src="https://kubernetes.io/images/nav_logo.svg" width="400" >
Kubernetes na ndabara na-enyocha ma akwadoro email onye ọrụ ma ọ bụ na ekwenyeghị. Ebe anyị na-eji sava LDAP nke anyị, nlele a ga-alọghachi mgbe niile false
. Ka anyị gbanyụọ nnọchite anya ntọala a na Kubernetes:
Mpaghara ndị ahịa -> email -> Ndị na-ese eserese -> email kwadoro (Hichapụ)
Ugbu a, ka anyị guzobe Federation, maka nke a anyị na-aga:
Njikọ ndị ọrụ -> Tinye onye na-eweta… -> ldap
Nke a bụ nhazi ihe atụ maka FreeIPA:
nhọrọ
uru
Aha ngosi Console
freeipa.example.org
Onye na-ere
Red Hat Directory Server
Njirimara UUID LDAP
ipauniqueid
URL njikọ
ldaps://freeipa.example.org
Onye ọrụ DN
cn=users,cn=accounts,dc=example,dc=org
Jikọọ DN
uid=keycloak-svc,cn=users,cn=accounts,dc=example,dc=org
Jikọọ nzere
<password>
Kwe ka nyocha Kerberos:
on
Obodo Kerberos:
EXAMPLE.ORG
Onye isi nke sava:
HTTP/[email protected]
igodo tab:
/etc/krb5.keytab
Onye ọrụ keycloak-svc
a ga-emepụtarịrị na sava LDAP anyị.
N'ihe gbasara Active Directory, họrọ naanị Onye na-ere ere: Akwụkwọ ndekọ aha na ntọala ndị dị mkpa ga-etinye n'ime ụdị na-akpaghị aka.
Pịpụ Save
Ugbu a, ka anyị gaa n'ihu:
Njikọ ndị ọrụ -> freeipa.example.org -> Ndị na-ese eserese -> Aha mbụ
nhọrọ
uru
Njirimara Ldap
givenName
Ugbu a gbanye maapụ otu:
Njikọ ndị ọrụ -> freeipa.example.org -> Ndị na-ese eserese -> Mepụta
nhọrọ
uru
aha
groups
Ụdị mapper
group-ldap-mapper
Otu LDAP DN
cn=groups,cn=accounts,dc=example,dc=org
Atụmatụ eweghachite otu onye ọrụ
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
Nke a mezuru ntọlite Federation, ka anyị gaa n'ihu ịtọlite onye ahịa.
Nhazi onye ahịa
Ka anyị mepụta onye ahịa ọhụrụ (ngwa ga-enweta ndị ọrụ site na Keycloak). Ka a pụọ:
ahịa -> Mepụta
nhọrọ
uru
NJ ahịa
kubernetes
Ụdị nnweta
confidenrial
Mgbọrọgwụ URL
http://kubernetes.example.org/
URI ntụgharị ntụgharị bara uru
http://kubernetes.example.org/*
URL onye nchịkwa
http://kubernetes.example.org/
Anyị ga-ekepụtakwa ohere maka otu:
Mpaghara ndị ahịa -> Mepụta
nhọrọ
uru
template
No template
aha
groups
Ụzọ otu zuru ezu
false
Ma guzoro ha mapa:
Mpaghara ndị ahịa -> iche iche -> Ndị na-ese eserese -> Mepụta
nhọrọ
uru
aha
groups
Ụdị Mapper
Group membership
Aha ebubo Token
groups
Ugbu a, anyị kwesịrị ime ka eserese otu dị na mpaghara ndị ahịa anyị:
ahịa -> kubernets -> Mpaghara ndị ahịa -> Oghere ndị ahịa dapụtara
Họrọ iche iche в Oke ndị ahịa dị, pịa Tinye ahọpụtara
Ugbu a, ka anyị guzobe nkwenye nke ngwa anyị, gaa na:
ahịa -> kubernets
nhọrọ
uru
Agbanyere ikike
ON
Ka anyị kwalie zọpụta na nke a na-emecha nhazi onye ahịa, ugbu a na taabụ
ahịa -> kubernets -> Nzere
ị nwere ike nweta nzuzo nke anyị ga-eji emechaa.
Na-ahazi Kubernetes
Ịtọlite Kubernetes maka ikike OIDC bụ ihe na-adịghị mkpa na ọ bụghị ihe mgbagwoju anya. Ihe niile ị ga - eme bụ itinye akwụkwọ ca nke sava OIDC gị n'ime /etc/kubernetes/pki/oidc-ca.pem
ma gbakwunye nhọrọ dị mkpa maka kube-apiserver.
Iji mee nke a, melite /etc/kubernetes/manifests/kube-apiserver.yaml
n'ebe ndi-nwe-unu nile nọ:
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.pem
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Ma melite kubeadm config na ụyọkọ ka ị ghara idafu ntọala ndị a n'oge mmelite:
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /etc/kubernetes/pki/oidc-ca.pem
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Nke a mezuru nhazi Kubernetes. Ị nwere ike imegharị usoro ndị a n'ofe ụyọkọ Kubernetes gị niile.
Ikike izizi
Mgbe usoro ndị a gasịrị, ị ga-enwerị ụyọkọ Kubernetes nwere ikike ahaziri OIDC. Naanị isi ihe bụ na ndị ọrụ gị enwebeghị ahaziri onye ahịa, yana kubeconfig nke ha. Iji dozie nsogbu a, ịkwesịrị ịhazi ntinye aka nke kubeconfig nye ndị ọrụ mgbe ikike ịga nke ọma.
Iji mee nke a, ịnwere ike iji ngwa weebụ pụrụ iche nke na-enye gị ohere ịchọpụta onye ọrụ wee budata kubeconfig emechara. Otu n'ime ndị kasị adaba bụ
Iji hazie Kuberos, o zuru ezu ịkọwa template maka kubeconfig wee jiri usoro ndị a mee ya:
kuberos https://keycloak.example.org/auth/realms/kubernetes kubernetes /cfg/secret /cfg/template
Maka nkọwa ndị ọzọ hụ
Ọ dịkwa ike iji
Enwere ike ịlele kubeconfig nke pụta na saịtị ahụ users[].user.auth-provider.config.id-token
site na kubeconfig gị gaa na mpempe akwụkwọ na saịtị wee nweta transcript ozugbo.
Ntọala RBAC
Mgbe ị na-ahazi RBAC, ị nwere ike zoo aka na aha njirimara (ubi name
na jwt token) na maka otu ndị ọrụ (ubi groups
na jwt token). Nke a bụ ọmụmaatụ ịtọ ikike maka otu kubernetes-default-namespace-admins
:
kubernetes-default-namespace-admins.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-admins
namespace: default
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-default-namespace-admins
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-admins
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: kubernetes-default-namespace-admins
Enwere ike ịhụ ihe atụ ndị ọzọ maka RBAC na
Ịtọ ntọala-proxy
Enwere ọmarịcha oru ngo
dashboard-proxy.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard-proxy
spec:
replicas: 1
template:
metadata:
labels:
app: kubernetes-dashboard-proxy
spec:
containers:
- args:
- --listen=0.0.0.0:80
- --discovery-url=https://keycloak.example.org/auth/realms/kubernetes
- --client-id=kubernetes
- --client-secret=<your-client-secret-here>
- --redirection-url=https://kubernetes-dashboard.example.org
- --enable-refresh-tokens=true
- --encryption-key=ooTh6Chei1eefooyovai5ohwienuquoh
- --upstream-url=https://kubernetes-dashboard.kube-system
- --resources=uri=/*
image: keycloak/keycloak-gatekeeper
name: kubernetes-dashboard-proxy
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
readinessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-proxy
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: kubernetes-dashboard-proxy
type: ClusterIP
isi: www.habr.com