ProHoster > Π‘Π»ΠΎΠ³ > Administrasi > Otentikasi ing Kubernetes nggunakake GitHub OAuth lan Dex

Otentikasi ing Kubernetes nggunakake GitHub OAuth lan Dex

Aku menehi perhatian sampeyan tutorial kanggo ngasilake akses menyang cluster Kubernetes nggunakake Dex, dex-k8s-authenticator lan GitHub.

Otentikasi ing Kubernetes nggunakake GitHub OAuth lan Dex
Meme lokal saka obrolan Kubernetes ing basa Rusia Telegram

Pambuka

Kita nggunakake Kubernetes kanggo nggawe lingkungan dinamis kanggo pangembangan lan tim QA. Dadi, kita pengin menehi akses menyang kluster kanggo dashboard lan kubectl. Ora kaya OpenShift, vanilla Kubernetes ora duwe otentikasi asli, mula kita nggunakake alat pihak katelu kanggo iki.

Ing konfigurasi iki kita nggunakake:

  • dex-k8s-authenticatorβ€Š - aplikasi web kanggo ngasilake konfigurasi kubectl
  • Dex β€” panyedhiya OpenID Connect
  • GitHub - mung amarga kita nggunakake GitHub ing perusahaan kita

Kita nyoba nggunakake Google OIDC, nanging sayangΓ© kita gagal kanggo miwiti karo grup, supaya integrasi karo GitHub cocok kanggo kita. Tanpa pemetaan klompok, ora bakal bisa nggawe kabijakan RBAC adhedhasar klompok.

Dadi, kepiye proses wewenang Kubernetes bisa digunakake ing perwakilan visual:

Otentikasi ing Kubernetes nggunakake GitHub OAuth lan Dex
Proses wewenang

Luwih rinci lan titik demi titik:

  1. Pangguna mlebu menyang dex-k8s-authenticator (login.k8s.example.com)
  2. dex-k8s-authenticator nerusake panjalukan menyang Dex (dex.k8s.example.com)
  3. Dex pangalihan menyang kaca mlebu GitHub
  4. GitHub ngasilake informasi wewenang sing dibutuhake lan bali menyang Dex
  5. Dex ngirim informasi sing ditampa menyang dex-k8s-authenticator
  6. Pangguna nampa token OIDC saka GitHub
  7. dex-k8s-authenticator nambah token kanggo kubeconfig
  8. kubectl ngirim token menyang KubeAPIServer
  9. KubeAPIServer ngasilake akses menyang kubectl adhedhasar token liwati
  10. Pangguna entuk akses saka kubectl

Kegiatan Nyiapkeun

Mesthi wae, kita wis nginstal kluster Kubernetes (k8s.example.com), lan uga dilengkapi HELM sing wis diinstal. Kita uga duwe organisasi ing GitHub (super-org).
Yen sampeyan ora duwe HELM, pasang prasaja banget.

Pisanan kita kudu nyiyapake GitHub.

Pindhah menyang kaca setelan organisasi, (https://github.com/organizations/super-org/settings/applications) lan gawe aplikasi anyar (Aplikasi OAuth sing sah):
Otentikasi ing Kubernetes nggunakake GitHub OAuth lan Dex
Nggawe aplikasi anyar ing GitHub

ЗаполняСм поля Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΡ‹ΠΌΠΈ URL, Π½Π°ΠΏΡ€ΠΈΠΌΠ΅Ρ€:

  • URL kaca ngarep: https://dex.k8s.example.com
  • URL panggilan balik wewenang: https://dex.k8s.example.com/callback

Ati-ati karo pranala, penting ora ilang garis miring.

Nanggepi formulir sing wis rampung, GitHub bakal ngasilake Client ID ΠΈ Client secret, simpen ing papan sing aman, bakal migunani kanggo kita (contone, kita nggunakake Wikipedia kanggo nyimpen rahasia):

Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1

Siapke cathetan DNS kanggo subdomain login.k8s.example.com ΠΈ dex.k8s.example.com, uga sertifikat SSL kanggo mlebu.

Ayo nggawe sertifikat SSL:

cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-auth-dex
  namespace: kube-system
spec:
  secretName: cert-auth-dex
  dnsNames:
    - dex.k8s.example.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - dex.k8s.example.com
  issuerRef:
    name: le-clusterissuer
    kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-auth-login
  namespace: kube-system
spec:
  secretName: cert-auth-login
  dnsNames:
    - login.k8s.example.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - login.k8s.example.com
  issuerRef:
    name: le-clusterissuer
    kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system

ClusterIssuer kanthi judhul le-clusterissuer kudune wis ana, nanging yen ora, gawe nganggo HELM:

helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: le-clusterissuer
  namespace: kube-system
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: le-clusterissuer
    http01: {}
EOF

Konfigurasi KubeAPIServer

Kanggo kubeAPIServer bisa digunakake, sampeyan kudu ngatur OIDC lan nganyari kluster:

kops edit cluster
...
  kubeAPIServer:
    anonymousAuth: false
    authorizationMode: RBAC
    oidcClientID: dex-k8s-authenticator
    oidcGroupsClaim: groups
    oidcIssuerURL: https://dex.k8s.example.com/
    oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yes

Kita nggunakake nyepak kanggo nyebarke kluster, nanging iki uga dianggo kanggo manager cluster liyane.

Konfigurasi Dex lan dex-k8s-authenticator

Supaya Dex bisa kerja, sampeyan kudu duwe sertifikat lan kunci saka master Kubernetes, ayo njaluk saka kono:

sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----

Ayo tiron repositori dex-k8s-authenticator:

git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/

Nggunakake file nilai, kita bisa kanthi fleksibel ngatur variabel kanggo kita Grafik saka HELM.

Ayo diterangake konfigurasi kanggo Dex:

cat << EOF > values-dex.yml
global:
  deployEnv: prod
tls:
  certificate: |-
    -----BEGIN CERTIFICATE-----
    AAAAAAAAAAABBBBBBBBBBCCCCCC
    -----END CERTIFICATE-----
  key: |-
    -----BEGIN RSA PRIVATE KEY-----
    DDDDDDDDDDDEEEEEEEEEEFFFFFF
    -----END RSA PRIVATE KEY-----
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
  path: /
  hosts:
    - dex.k8s.example.com
  tls:
    - secretName: cert-auth-dex
      hosts:
        - dex.k8s.example.com
serviceAccount:
  create: true
  name: dex-auth-sa
config: |
  issuer: https://dex.k8s.example.com/
  storage: # https://github.com/dexidp/dex/issues/798
    type: sqlite3
    config:
      file: /var/dex.db
  web:
    http: 0.0.0.0:5556
  frontend:
    theme: "coreos"
    issuer: "Example Co"
    issuerUrl: "https://example.com"
    logoUrl: https://example.com/images/logo-250x25.png
  expiry:
    signingKeys: "6h"
    idTokens: "24h"
  logger:
    level: debug
    format: json
  oauth2:
    responseTypes: ["code", "token", "id_token"]
    skipApprovalScreen: true
  connectors:
  - type: github
    id: github
    name: GitHub
    config:
      clientID: $GITHUB_CLIENT_ID
      clientSecret: $GITHUB_CLIENT_SECRET
      redirectURI: https://dex.k8s.example.com/callback
      orgs:
      - name: super-org
        teams:
        - team-red
  staticClients:
  - id: dex-k8s-authenticator
    name: dex-k8s-authenticator
    secret: generatedLongRandomPhrase
    redirectURIs:
      - https://login.k8s.example.com/callback/
envSecrets:
  GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
  GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF

Lan kanggo dex-k8s-authenticator:

cat << EOF > values-auth.yml
global:
  deployEnv: prod
dexK8sAuthenticator:
  clusters:
  - name: k8s.example.com
    short_description: "k8s cluster"
    description: "Kubernetes cluster"
    issuer: https://dex.k8s.example.com/
    k8s_master_uri: https://api.k8s.example.com
    client_id: dex-k8s-authenticator
    client_secret: generatedLongRandomPhrase
    redirect_uri: https://login.k8s.example.com/callback/
    k8s_ca_pem: |
      -----BEGIN CERTIFICATE-----
      AAAAAAAAAAABBBBBBBBBBCCCCCC
      -----END CERTIFICATE-----
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
  path: /
  hosts:
    - login.k8s.example.com
  tls:
    - secretName: cert-auth-login
      hosts:
        - login.k8s.example.com
EOF

Instal Dex lan dex-k8s-authenticator:

helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticator

Ayo priksa fungsi layanan kasebut (Dex kudu ngasilake kode 400, lan dex-k8s-authenticator kudu ngasilake kode 200):

curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200

konfigurasi RBAC

Kita nggawe ClusterRole kanggo grup, ing kasus kita kanthi akses mung diwaca:

cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-read-all
rules:
  -
    apiGroups:
      - ""
      - apps
      - autoscaling
      - batch
      - extensions
      - policy
      - rbac.authorization.k8s.io
      - storage.k8s.io
    resources:
      - componentstatuses
      - configmaps
      - cronjobs
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingress
      - ingresses
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - pods/log
      - pods/exec
      - persistentvolumes
      - persistentvolumeclaims
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
      - statefulsets
      - storageclasses
      - clusterroles
      - roles
    verbs:
      - get
      - watch
      - list
  - nonResourceURLs: ["*"]
    verbs:
      - get
      - watch
      - list
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
EOF

Ayo nggawe konfigurasi kanggo ClusterRoleBinding:

cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: dex-cluster-auth
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-read-all
subjects:
  kind: Group
  name: "super-org:team-red"
EOF

Saiki kita siyap kanggo tes.

Tes

Pindhah menyang kaca mlebu (https://login.k8s.example.com) lan mlebu nganggo akun GitHub sampeyan:

Otentikasi ing Kubernetes nggunakake GitHub OAuth lan Dex
kaca mlebu

Otentikasi ing Kubernetes nggunakake GitHub OAuth lan Dex
Kaca mlebu dialihake menyang GitHub

Otentikasi ing Kubernetes nggunakake GitHub OAuth lan Dex
 Tindakake pandhuan sing digawe kanggo entuk akses

Sawise nyalin-tempel saka kaca web, kita bisa nggunakake kubectl kanggo ngatur sumber daya kluster:

kubectl get po
NAME                READY   STATUS    RESTARTS   AGE
mypod               1/1     Running   0          3d

kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"

Lan kerjane, kabeh pangguna GitHub ing organisasi kita bisa ndeleng sumber daya lan mlebu menyang pods, nanging ora duwe hak kanggo ngganti.

Source: www.habr.com

Add a comment