Intentionem tuam praebeo paedagogum ad accessum generandum ad botrum Kubernetes utentium Dex, dex-k8s-authenticatoris et GitHub.
Locus quentiam ex lingua Russico-Kubernetes chat in
introduction
Kubernetes utimur ad ambitus dynamicos creare pro evolutione et QA quadrigis. Ita illis accessum dare volumus ad botrum tam ashboard quam kubectl. Dissimilis OpenShift, vanilla Kubernetes authenticas vernaculas non habet, ergo instrumenta tertia partium ad hoc utimur.
In hac figura utimur:
- - web application pro generando kubectl config
- - OpenID Iungo provisor
- GitHub - simpliciter quia GitHub utimur in comitatu nostro
Google OIDC uti conati sumus, sed proh dolor ut committitur illis coetibus, ita integratio cum GitHub nobis bene aptus est. Sine circulo destinata, non poterit RBAC consilia e coetibus innixa creare.
Ita, quomodo nostri Kubernetes processum cessionis in repraesentatione operant;
LICENTIA processus
Paulo subtilius et per punctum;
- User acta in dex-k8s-authenticator (
login.k8s.example.com) - dex-k8s-authenticator promovet petitionem ad Dex (
dex.k8s.example.com) - Dex redirects ad paginam login GitHub
- GitHub notitias necessarias generat et redit ad Dex
- Dex transit informationes ad dex-k8s-authenticator
- Usoris accipit OIDC indicium GitHub
- dex-k8s-authenticator addit signum kubeconfig
- kubectl transit signum ad KubeAPIServer
- KubeAPIServer redit accessus ad kubectl secundum quod praeteriit indicium
- A user accessum accipit ex kubectl
actus praeparatorios perficiendos
Utique nos iam habent Botrus Kubernetes inauguratus (.k8s.example.com) et cum galea venit pre- stitutum. Etiam ordinationem habemus in GitHub (super-org).
Quod si non habes, niteremur eam .
Primum opus est ut GitHub.
Perge ad paginas ordinandas, (https://github.com/organizations/super-org/settings/applications) Et novam applicationem (Authorised OAuth App);
Novam applicationem in GitHub
Agros reple cum URLs necessariis, exempli gratia:
- Protocollum URL:
https://dex.k8s.example.com - LICENTIA callback URL:
https://dex.k8s.example.com/callback
Diligenter cum nexus, interest non slashes perdere.
Respondens ad formam completam, GitHub generabit Client ID ΠΈ Client secretea in tuto serva, nobis usui erunt (exempli gratia utimur secreta nendae);
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
DNS para records pro subdomains login.k8s.example.com ΠΈ dex.k8s.example.comnec non SSL libellorum pro ingressu.
SSL faciamus testimoniales:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
ClusterIssuer cum titulo le-clusterissuer iam sit, sin minus, fac utens galma;
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOFKubeAPIServer configuration
Nam kubeAPIServer ad operandum, debes OIDC configurare et botrum renovare;
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yesUtimur ad ligaturas disponendas, sed hoc similiter pro .
Dex configuration et dex-k8s-authenticator
Pro Dex ad operandum, libellum et clavem magistri Kubernetes habere debes, eam inde veniamus:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----Sit clone in repositorium dex-k8s-authenticatorem:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/Files valores utentes, molliter variabiles pro nostris configurare possumus .
Dex figuram describemus:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
et pro dex-k8s-authenticator;
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOFInstrue Dex et dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticatorInhibeamus functionem officiorum (Dex codicem 400 debet reddere, et dex-k8s-authenticator codicem 200 redire debet);
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200RBAC configuratione
ClusterRole pro globo creamus, in casu nostro cum tantum accessu legere:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOFFaciamus configurationem pro ClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOFNunc parati sumus ad probationem.
probat
Vade ad paginam login (https://login.k8s.example.com) Et log in utens tuo GitHub ratione;
Login page
Pagina pagina redirecta ad GitHub
Sequuntur generatum mandatis aditus
Post exemplar interretialem e pagina interretiali kubectl uti possumus ad facultates glomeras nostras regendas;
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
Et operatur, omnes usores GitHub in nostra ordinatione facultates et stipes in siliquas videre possunt, sed iura mutare eas non habent.
Source: www.habr.com