ProHoster > Блог > administratio > ActiveDirectory cingimus potestatem ut Kubernetes per Keycloak

ActiveDirectory cingimus potestatem ut Kubernetes per Keycloak

Hoc articulum scriptum est ut supra dictum est existentiumsed de fasciculo lineamentorum cum Microsoft ActiveDirectory loquitur, ac etiam complementum est.

In hoc articulo narrabo tibi quomodo instituere et configurare:

  • keycloak fons aperta est project. Quod unum punctum noti applicationis praebet. Opera cum multis protocollis, LDAP et OpenID quae intersunt.
  • ostiarius keycloak - Reverse procuratorem applicationis qui te per Keycloak potestatem integrare sinit.
  • FORI - Applicatio quae config pro kubectl gignit cum qua inire potes et cum Kubernetibus API per OpenID coniungere.

Quomodo permissiones in Kubernetes laborant.

Usorem / coetus iura utens RBAC administrare possumus, fasciculum articulorum iam de hoc creatum est, in hoc singillatim non moror. Problema est RBAC uti possis ad iura usoris restringere, sed Kubernetes nihil scit de usoribus. Evenit ut mechanismum in Kubernetes usoris traditionis indigere. Ad hoc faciendum, provisorem Kuberntes OpenID addemus, qui talem usorem revera existere dicent, et ipsa Kubernetes iura reddet.

Training

  • Opus erit botrus Kubernetes vel minikube
  • Active Directory
  • Dominia:
    keycloak.example.org
    kubernetes-ashboard.example.org
    gangway.example.org
  • Libellum domains vel auto-signati certificatorium

Non moror quomodo libellum auto-signatum creare debes, 2 libellos creare, haec est radix (auctoritati certificandi) et clienti wildcardi pro dominio *.example.org

Postquam testimonium receperitis, client Kubernetes addenda est, hoc enim secretum pro eo creamus;

kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pem

Deinde utemur eo ad Ingress rectorem nostrum.

Keycloak Installation

Modum facillimum esse statui solutiones paratas ad hoc utendum, nimirum chartis gubernaculis.

Inaugurare repositorium ac renovare illud:

helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update

Create keycloak.yml lima cum sequenti contento:

keycloak.yml

keycloak:
  # Имя администратора
  username: "test_admin"
  # Пароль администратор  
  password: "admin"
  # Эти флаги нужны что бы позволить загружать в Keycloak скрипты прямо через web морду. Это нам 
  понадобиться что бы починить один баг, о котором ниже.
  extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled" 
  # Включаем ingress, указываем имя хоста и сертификат который мы предварительно сохранили в secrets
  ingress:
    enabled: true 
    path: /
    annotations:
      kubernetes.io/ingress.class: nginx
      ingress.kubernetes.io/affinity: cookie
    hosts:
      - keycloak.example.org
    tls:
    - hosts:
        - keycloak.example.org
      secretName: tls-keycloak
  # Keycloak для своей работы требует базу данных, в тестовых целях я разворачиваю Postgresql прямо в Kuberntes, в продакшене так лучше не делать!
  persistence:
    deployPostgres: true
    dbVendor: postgres

postgresql:
  postgresUser: keycloak
  postgresPassword: ""
  postgresDatabase: keycloak
  persistence:
    enabled: true

Foederatio setup

Proxima, interface ad interretialem vade keycloak.example.org

Click ad sinistram anguli Addere regnum

Key
Value

nomine
kubernetes

display nomine
Kubernetes

Inactivare user inscriptio verificationis:
Clientem scopes -> Email -> Mappers -> Email verificatur (Delete)

Foederationem instituimus ut users ex ActiveDirectory importare, emissiones infra relinquo, clariorem fore puto.

User foederati -> provisor addere ... -> ldap

Foederatio setupActiveDirectory cingimus potestatem ut Kubernetes per Keycloak
ActiveDirectory cingimus potestatem ut Kubernetes per Keycloak

Si bene omnia, deinde premente ipsum Synchronise omnes users nuntium videbis de prosperitate users.

Deinde necesse est ut coetus nostros describant

Foederatio usoris --> ldap_localhost --> Mappers --> Create

Partum mapperActiveDirectory cingimus potestatem ut Kubernetes per Keycloak

Clientem setup

Necesse est clientem creare, secundum Keycloakum, haec applicatio quae ab eo auctoritate facienda est. Maiora puncta illustrabo in screenshot rubra.

Clientes -> crea

Clientem setupActiveDirectory cingimus potestatem ut Kubernetes per Keycloak

Faciamus scopulum pro coetibus:

Clientem Scopes -> crea

Create scopeActiveDirectory cingimus potestatem ut Kubernetes per Keycloak

Et constitue eis mappam.

Client Scopes —> groups —> Mappers —> Create

MapperActiveDirectory cingimus potestatem ut Kubernetes per Keycloak

Adde destinata circulorum nostrorum ad Scopes Default Client:

Clientes —> kubernetes —> Client Scopes —> Default Client Scopes
eligens Groups в Praesto Client Scopes, press Adde electus

Arcanum consequimur (et linum scribemus) quo utemur pro concessione in Keycloak:

Clientes —> kubernetes —> Credentials —> Secret
Hoc perficit propositum, sed errorem habui, cum, postquam feliciter licuit, errorem 403 accepi. Bug fama.

Figere:

Client Scopes —> roles —> Mappers —> Create

MappersActiveDirectory cingimus potestatem ut Kubernetes per Keycloak

Scriptor Code

// add current client-id to token audience
token.addAudience(token.getIssuedFor());

// return token issuer as dummy result assigned to iss again
token.getIssuer();

Vestibulum Kubernetes

Opus est notificare ubi radix nostra e situ situs et ubi OIDC provisor sita est.
Ad hoc faciendum, tabellam /etc/kubernetes/manifests/kube-apiserver.yaml edit.

kube-apiserver.yaml


...
spec:
  containers:
  - command:
    - kube-apiserver
...
    - --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
    - --oidc-client-id=kubernetes
    - --oidc-groups-claim=groups
    - --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
    - --oidc-username-claim=email
...

Renova kubeadm config in botro;

kubeadmconfig

kubectl edit -n kube-system configmaps kubeadm-config


...
data:
  ClusterConfiguration: |
    apiServer:
      extraArgs:
        oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
        oidc-client-id: kubernetes
        oidc-groups-claim: groups
        oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
        oidc-username-claim: email
...

Procurare auth-procuratorem

Ostiario clave uti potes ad applicationem interretialem tuam protegere. Praeterquam quod haec adversa procurator permittet utentem utentem ante paginam ostendens, informationes quoque de te ad finem applicationis in capitis reddet. Ita, si applicationis tua OpenID sustinet, usor statim auctoritate datur. Exemplum considerate Kubernetes Dashboard

Installing Kubernetes Dashboard


helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml

values_dashboard.yaml

enableInsecureLogin: true
service:
  externalPort: 80
rbac:
  clusterAdminRole: true
  create: true
serviceAccount:
  create: true
  name: 'dashboard-test'

Accessus ius constituendi:

Faciamus ClusterRoleBinding quod botrum admin iura (vexillum ClusterRole botri-admin) dabit pro usoribus in globus DataOPS.


kubectl apply -f rbac.yaml

rbac.yaml


apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dataops_group
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: DataOPS

Instrue claustrum ostiarium:


helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml

values_proxy.yaml



# Включаем ingress
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
  path: /
  hosts:
    - kubernetes-dashboard.example.org
  tls:
   - secretName: tls-keycloak
     hosts:
       - kubernetes-dashboard.example.org

# Говорим где мы будем авторизовываться у OIDC провайдера
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# Имя клиента которого мы создали в Keycloak
ClientID: "kubernetes"
# Secret который я просил записать
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Куда перенаправить в случае успешной авторизации. Формат <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# Пропускаем проверку сертификата, если у нас самоподписанный
skipOpenidProviderTlsVerify: true
# Настройка прав доступа, пускаем на все path если мы в группе DataOPS
rules:
  - "uri=/*|groups=DataOPS"

Deinde, cum tentas ire kubernetes-ashboard.example.orgerimus ad Keycloak redirectum et in casu felicis auctoritatis ad Dashboard iam initium habebimus.

praecinctionis institutionem

Pro commodo, praecinctionem potes addere quae documentum config pro kubectl generabit, cuius ope Kubernetes sub usuario nostro dabimus.


helm install --name gangway stable/gangway -f values_gangway.yaml

values_gangway.yaml


gangway:
  # Произвольное имя кластера
  clusterName: "my-k8s"
  # Где у нас OIDC провайдер
  authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
  tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
  audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
  # Теоритически сюда можно добавить groups которые мы замапили
  scopes: ["openid", "profile", "email", "offline_access"]
  redirectURL: "https://gangway.example.org/callback"
  # Имя клиента
  clientID: "kubernetes"
  # Секрет
  clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
  # Если оставить дефолтное значние, то за имя пользователя будет братья <b>Frist name</b> <b>Second name</b>, а при "sub" его логин
  usernameClaim: "sub"
  # Доменное имя или IP адресс API сервера
  apiServerURL: "https://192.168.99.111:8443"

# Включаем Ingress
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
  path: /
  hosts:
  - gangway.example.org
  tls:
  - secretName: tls-keycloak
    hosts:
      - gangway.example.org

# Если используем самоподписанный сертификат, то его(открытый корневой сертификат) надо указать.
trustedCACert: |-
 -----BEGIN CERTIFICATE-----
 MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
 -----END CERTIFICATE-----

Hoc simile est. Permittit tibi ut statim tabellam config extrahe et generabis utens mandatorum statuto:

ActiveDirectory cingimus potestatem ut Kubernetes per Keycloak

Source: www.habr.com

Add a comment