ืืืืจ ืื ื ืืชื ืืื ืืืจืืื ืืช ืื ืืฉื
ืืืืืจ ืื ืืกืคืจ ืืื ืืืฆื ืืืชืงืื ืืืืืืืจ:
- ืืืืืช ืืคืชื ืืื ืคืจืืืงื ืงืื ืคืชืื. ืื ืฉืืกืคืง ื ืงืืืช ืื ืืกื ืืืช ืืืืฉืืืื. ืขืืื ืขื ืคืจืืืืงืืืื ืจืืื, ืืืื LDAP ื-OpenID ืฉืื ื ืืขืื ืืื ืื ืืื.
- ืฉืืืจ ืกืฃ ืืืขืื ืืคืชื - ืืคืืืงืฆืืืช ืคืจืืงืกื ืืคืื ืืืืคืฉืจืช ืื ืืฉืื ืืจืฉืืืช ืืจื Keycloak.
- ืึทืืึธื - ืืืฉืื ืฉืืืืฆืจ ืงืื ืคืืืืจืฆืื ืขืืืจ kubectl ืฉืืืชื ื ืืชื ืืืืื ืก ืืืืชืืืจ ื-Kubernetes API ืืจื OpenID.
ืืืฆื ืคืืขืืืช ืืจืฉืืืช ื-Kubernetes.
ืื ืื ื ืืืืืื ืื ืื ืืช ืืืืืืช ืืืฉืชืืฉ/ืืงืืืฆื ืืืืฆืขืืช RBAC, ืืืจ ื ืืฆืจื ืขื ืื ืืืืจื ืฉื ืืืืจืื, ืื ืืชืขืื ืขื ืื ืืคืืจืื. ืืืขืื ืืื ืฉืืชื ืืืื ืืืฉืชืืฉ ื-RBAC ืืื ืืืืืื ืืช ืืืืืืช ืืืฉืชืืฉ, ืืื Kubernetes ืื ืืืืข ืืืื ืขื ืืฉืชืืฉืื. ืืกืชืืจ ืฉืื ืื ื ืฆืจืืืื ืื ืื ืื ืืกืืจืช ืืฉืชืืฉืื ื-Kubernetes. ืืฉื ืื ื ืืกืืฃ ื-Kuberntes OpenID ืกืคืง ืฉืืืื ืฉืืฉืชืืฉ ืืื ืืืืช ืงืืื, ื-Kubernetes ืืขืฆืื ืชืืชื ืื ืืช ืืืืืืืช.
ืืืจืื
- ืชืืืงืง ืืืฉืืื Kubernetes ืื ืืื ืืงืื
- ืฉื Active Directory
- ืืืืืื ืื:
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org - ืืืฉืืจ ืืืืืืื ืื ืื ืืืฉืืจ ืืืชืืื ืขืฆืืืช
ืื ื ืื ืืชืขืื ืขื ืืื ืืืฆืืจ ืชืขืืื ืืืชืืื ืขืฆืืืช, ืืชื ืฆืจืื ืืืฆืืจ 2 ืชืขืืืืช, ืื ืืฉืืจืฉ (ืจืฉืืช ืืืืฉืืจืื) ืืืงืื ืืชืืืื ืืืืืืื ืืืืืืื *.example.org
ืืืืจ ืงืืืช / ืื ืคืงืช ืืืฉืืจืื, ืืฉ ืืืืกืืฃ ืืช ืืืงืื ื-Kubernetes, ืืฉื ืื ืื ื ืืืฆืจืื ืขืืืจื ืกืื:
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pem
ืืืืจ ืืื, ื ืฉืชืืฉ ืื ืขืืืจ ืืงืจ ื-Ingress ืฉืื ื.
ืืชืงื ืช Keycloak
ืืืืืชื ืฉืืืจื ืืงืื ืืืืชืจ ืืื ืืืฉืชืืฉ ืืคืชืจืื ืืช ืืืื ืื ืืื, ืืืืืจ ืชืจืฉืืื ืืื.
ืืชืงื ืืช ืืืืืจ ืืขืืื ืืืชื:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update
ืฆืืจ ืงืืืฅ keycloak.yml ืขื ืืชืืื ืืื:
keycloak.yml
keycloak:
# ะะผั ะฐะดะผะธะฝะธัััะฐัะพัะฐ
username: "test_admin"
# ะะฐัะพะปั ะฐะดะผะธะฝะธัััะฐัะพั
password: "admin"
# ะญัะธ ัะปะฐะณะธ ะฝัะถะฝั ััะพ ะฑั ะฟะพะทะฒะพะปะธัั ะทะฐะณััะถะฐัั ะฒ Keycloak ัะบัะธะฟัั ะฟััะผะพ ัะตัะตะท web ะผะพัะดั. ะญัะพ ะฝะฐะผ
ะฟะพะฝะฐะดะพะฑะธัััั ััะพ ะฑั ะฟะพัะธะฝะธัั ะพะดะธะฝ ะฑะฐะณ, ะพ ะบะพัะพัะพะผ ะฝะธะถะต.
extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
# ะะบะปััะฐะตะผ ingress, ัะบะฐะทัะฒะฐะตะผ ะธะผั ั
ะพััะฐ ะธ ัะตััะธัะธะบะฐั ะบะพัะพััะน ะผั ะฟัะตะดะฒะฐัะธัะตะปัะฝะพ ัะพั
ัะฐะฝะธะปะธ ะฒ secrets
ingress:
enabled: true
path: /
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.example.org
tls:
- hosts:
- keycloak.example.org
secretName: tls-keycloak
# Keycloak ะดะปั ัะฒะพะตะน ัะฐะฑะพัั ััะตะฑัะตั ะฑะฐะทั ะดะฐะฝะฝัั
, ะฒ ัะตััะพะฒัั
ัะตะปัั
ั ัะฐะทะฒะพัะฐัะธะฒะฐั Postgresql ะฟััะผะพ ะฒ Kuberntes, ะฒ ะฟัะพะดะฐะบัะตะฝะต ัะฐะบ ะปัััะต ะฝะต ะดะตะปะฐัั!
persistence:
deployPostgres: true
dbVendor: postgres
postgresql:
postgresUser: keycloak
postgresPassword: ""
postgresDatabase: keycloak
persistence:
enabled: true
ืืืืจืช ืืคืืจืฆืื
ืืืืจ ืืื, ืขืืืจ ืื ืืืฉืง ืืืื ืืจื ื
ืืืฅ ืืคืื ื ืืฉืืืืืช ืืืกืฃ ืืืืื
ืืคืชื
ืขืจื
ืฉื
ืงืืืจื ืืก
ืฆื ืฉื
ืงืืืจื ื
ืืฉืืช ืืช ืืืืืช ืืืื"ื ืฉื ืืืฉืชืืฉ:
ืืืงืคื ืืงืื โ> ืืืืืื โ> ืืืคืืืื โ> ืืืืืื ืืืืืช (ืืืง)
ืืงืื ื ืืช ืืคืืจืฆืื ืืืืื ืืฉืชืืฉืื ื-ActiveDirectory, ืื ื ืืฉืืืจ ืฆืืืืื ืืกื ืืืื, ืื ื ืืืฉื ืฉืื ืืืื ืืจืืจ ืืืชืจ.
ืคืืจืฆืืืช ืืฉืชืืฉืื โ> ืืืกืฃ ืกืคืง... โ> ldap
ืืืืจืช ืืคืืจืฆืื
ืื ืืื ืืกืืจ, ืื ืืืืจ ืืืืฆื ืขื ืืืคืชืืจ ืกื ืืจื ืืช ืื ืืืฉืชืืฉืื ืชืจืื ืืืืขื ืขื ืืืืื โโืืืฆืื ืฉื ืืฉืชืืฉืื.
ืืฉืื ืืื ืขืืื ื ืืืคืืช ืืช ืืงืืืฆืืช ืฉืื ื
ืคืืจืฆืืืช ืืืฉืชืืฉืื --> ldap_localhost --> ืืืคืื --> ืฆืืจ
ืืฆืืจืช ืืืคื
ืืืืจืช ืืงืื
ืืฉ ืฆืืจื ืืืฆืืจ ืืงืื, ืืืืื ืช Keycloak ืื ืืคืืืงืฆืื ืฉืชืืืฉืจ ืืื ื. ืืืืืฉ ืืช ืื ืงืืืืช ืืืฉืืืืช ืืฆืืืื ืืืกื ืืืืื.
ืืงืืืืช โ> ืฆืืจ
ืืืืจืช ืืงืื
ืืืื ื ืืฆืืจ ืชืจืืื ืืงืืืฆืืช:
ืืืงืคื ืืงืื โ> ืฆืืจ
ืฆืืจ ืืืงืฃ
ืืืืืจ ืขืืืจื ืืคื:
ืืืงืคื ืืงืื โ> ืงืืืฆืืช โ> ืืืคืื โ> ืฆืืจ
Mapper
ืืืกืฃ ืืช ืืืืคืื ืฉื ืืงืืืฆืืช ืฉืื ื ืืืืงืคื ืืจืืจืช ืืืืื ืฉื ืืงืืืืช:
ืืงืืืืช โ> kubernetes โ> ืืืงืคื ืืงืื โ> ืืืงืคื ืืงืื ืืจืืจืช ืืืื
ืืืจ ืงืืืฆืืช ะฒ ืืืงืคื ืืงืื ืืืื ืืืืืฅ ืืืกืฃ ื ืืืจืื
ืื ื ืืงืืืื ืืช ืืกืื (ืื ืืชืื ืืืชื ืืฉืจืฉืืจ) ืื ื ืฉืชืืฉ ืืืจืฉืื ื-Keycloak:
ืืงืืืืช โ> kubernetes โ> ืืืฉืืจืื โ> ืกืื
ืื ืืฉืืื ืืช ืืืืืจื, ืืื ืืืืชื ืื ืฉืืืื ืืืฉืจ, ืืืืจ ืืจืฉืื ืืืฆืืืช, ืงืืืืชื ืฉืืืื 403.
ืืชืงื:
ืืืงืคื ืืงืื โ> ืชืคืงืืืื โ> ืืืคืื โ> ืฆืืจ
ืืืคื
ืงืื ืกืงืจืืคื
// add current client-id to token audience
token.addAudience(token.getIssuedFor());
// return token issuer as dummy result assigned to iss again
token.getIssuer();
ืืืืจืช Kubernetes
ืขืืื ื ืืฆืืื ืืืื ื ืืฆื ืืืฉืืจ ืืฉืืจืฉ ืฉืื ื ืืืืชืจ, ืืืืื ื ืืฆื ืกืคืง ื-OIDC.
ืืื ืืขืฉืืช ืืืช, ืขืจืื ืืช ืืงืืืฅ /etc/kubernetes/manifests/kube-apiserver.yaml
kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
ืขืืื ืืช ืชืฆืืจืช kubeadm ืืืฉืืื:
kubeadmconfig
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
ืืืืจืช ืืืฉืืจ ืคืจืืงืกื
ืืชื ืืืื ืืืฉืชืืฉ ื-keycloak gatekeeper ืืื ืืืื ืขื ืืืฉืื ืืืื ืืจื ื ืฉืื. ืื ืืกืฃ ืืขืืืื ืฉืคืจืืงืกื ืืคืื ืื ืืืฉืจ ืืช ืืืฉืชืืฉ ืืคื ื ืืฆืืช ืืขืืื, ืืื ืื ืืขืืืจ ืืืืข ืขืืื ืืืืฉืื ืืงืฆื ืืืืชืจืืช. ืืคืืื, ืื ืืืคืืืงืฆืื ืฉืื ืชืืืืช ื-OpenID, ืืืฉืชืืฉ ืืืจืฉื ืืื. ืฉืงืื ืืช ืืืืืื ืฉื Kubernetes Dashboard
ืืชืงื ืช ืืื ืืืืืื ืื ืฉื Kubernetes
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml
values_dashboard.yaml
enableInsecureLogin: true
service:
externalPort: 80
rbac:
clusterAdminRole: true
create: true
serviceAccount:
create: true
name: 'dashboard-test'
ืืืืจืช ืืืืืืช ืืืฉื:
ืืืื ื ืืฆืืจ ClusterRoleBinding ืฉืืขื ืืง ืืืืืืช ืืืืื ืืืฉืืื (ClusterRole cluster-admin ืกืื ืืจืื) ืืืฉืชืืฉืื ืืงืืืฆืช DataOPS.
kubectl apply -f rbac.yaml
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dataops_group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: DataOPS
ืืชืงื keycloak gatekeeper:
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml
values_proxy.yaml
# ะะบะปััะฐะตะผ ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
path: /
hosts:
- kubernetes-dashboard.example.org
tls:
- secretName: tls-keycloak
hosts:
- kubernetes-dashboard.example.org
# ะะพะฒะพัะธะผ ะณะดะต ะผั ะฑัะดะตะผ ะฐะฒัะพัะธะทะพะฒัะฒะฐัััั ั OIDC ะฟัะพะฒะฐะนะดะตัะฐ
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# ะะผั ะบะปะธะตะฝัะฐ ะบะพัะพัะพะณะพ ะผั ัะพะทะดะฐะปะธ ะฒ Keycloak
ClientID: "kubernetes"
# Secret ะบะพัะพััะน ั ะฟัะพัะธะป ะทะฐะฟะธัะฐัั
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ะัะดะฐ ะฟะตัะตะฝะฐะฟัะฐะฒะธัั ะฒ ัะปััะฐะต ััะฟะตัะฝะพะน ะฐะฒัะพัะธะทะฐัะธะธ. ะคะพัะผะฐั <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# ะัะพะฟััะบะฐะตะผ ะฟัะพะฒะตัะบั ัะตััะธัะธะบะฐัะฐ, ะตัะปะธ ั ะฝะฐั ัะฐะผะพะฟะพะดะฟะธัะฐะฝะฝัะน
skipOpenidProviderTlsVerify: true
# ะะฐัััะพะนะบะฐ ะฟัะฐะฒ ะดะพัััะฟะฐ, ะฟััะบะฐะตะผ ะฝะฐ ะฒัะต path ะตัะปะธ ะผั ะฒ ะณััะฟะฟะต DataOPS
rules:
- "uri=/*|groups=DataOPS"
ืืืจื ืื, ืืฉืืชื ืื ืกื ืืืืช ื
ืืชืงื ืช ืืกืืื
ืืืขืื ื ืืืืช, ื ืืชื ืืืืกืืฃ gangway ืฉืืืฆืืจ ืงืืืฅ ืืืืจืืช ืขืืืจ kubectl, ืืขืืจืชื ื ืืื ืก ื-Kubernetes ืชืืช ืืืฉืชืืฉ ืฉืื ื.
helm install --name gangway stable/gangway -f values_gangway.yaml
values_gangway.yaml
gangway:
# ะัะพะธะทะฒะพะปัะฝะพะต ะธะผั ะบะปะฐััะตัะฐ
clusterName: "my-k8s"
# ะะดะต ั ะฝะฐั OIDC ะฟัะพะฒะฐะนะดะตั
authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
# ะขะตะพัะธัะธัะตัะบะธ ััะดะฐ ะผะพะถะฝะพ ะดะพะฑะฐะฒะธัั groups ะบะพัะพััะต ะผั ะทะฐะผะฐะฟะธะปะธ
scopes: ["openid", "profile", "email", "offline_access"]
redirectURL: "https://gangway.example.org/callback"
# ะะผั ะบะปะธะตะฝัะฐ
clientID: "kubernetes"
# ะกะตะบัะตั
clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ะัะปะธ ะพััะฐะฒะธัั ะดะตัะพะปัะฝะพะต ะทะฝะฐัะฝะธะต, ัะพ ะทะฐ ะธะผั ะฟะพะปัะทะพะฒะฐัะตะปั ะฑัะดะตั ะฑัะฐััั <b>Frist name</b> <b>Second name</b>, ะฐ ะฟัะธ "sub" ะตะณะพ ะปะพะณะธะฝ
usernameClaim: "sub"
# ะะพะผะตะฝะฝะพะต ะธะผั ะธะปะธ IP ะฐะดัะตัั API ัะตัะฒะตัะฐ
apiServerURL: "https://192.168.99.111:8443"
# ะะบะปััะฐะตะผ Ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
path: /
hosts:
- gangway.example.org
tls:
- secretName: tls-keycloak
hosts:
- gangway.example.org
# ะัะปะธ ะธัะฟะพะปัะทัะตะผ ัะฐะผะพะฟะพะดะฟะธัะฐะฝะฝัะน ัะตััะธัะธะบะฐั, ัะพ ะตะณะพ(ะพัะบััััะน ะบะพัะฝะตะฒะพะน ัะตััะธัะธะบะฐั) ะฝะฐะดะพ ัะบะฐะทะฐัั.
trustedCACert: |-
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
-----END CERTIFICATE-----
ื ืจืื ืืื. ืืืคืฉืจ ืื ืืืืจืื ืืื ืืช ืงืืืฅ ืืชืฆืืจื ืืืืฆืืจ ืืืชื ืืืืฆืขืืช ืกื ืคืงืืืืช:
ืืงืืจ: www.habr.com