Parva doceo quomodo Keycloak utatur ut Kubernetes coniungat cum servo tuo LDAP et importa usorum et gregum constitue. Hoc licebit tibi RBAC constituere pro usoribus tuis et auth-procuratorem uti ad tuendum Kubernetes Dashboard et alia applicationes quae se ipsos auctores nesciunt.
Keycloak Installation
Demus te iam habere LDAP servo. Possibile est Directorium activum, FreeIPA, OpenLDAP vel quicquid. Si servo LDAP non habes, tunc in principio utentes directe in interface Keycloak creare potes vel provisoribus publicis utere (Google, Github, Gitlab), idem fere erit.
Ante omnia ipsum Keycloak instituamus, institutionem separatim perfici potest, vel directe ad botrum Kubernetes, fere, si plures uvas Kubernetes habes, facilius erit eam separatim instituere. Contra, semper uti potes
Ad notitias Keycloak reponendas, database opus erit. Congue est h2
(omnia notitia localiter reposita), sed etiam fieri potest postgres
, mysql
aut mariadb
.
Si adhuc volueris Keycloak separatim instituere, potes accuratiorem instructionem invenire
Foederatio setup
Primum regnum novum faciamus. Regni nostri spatium applicationis. Quaelibet applicatio suum regnum habere potest cum diversis utentibus et auctoritate fundis. Dominus regni ab ipso Keycloak utitur et eo utens ad aliud malum est.
torcular Addere regnum
option
Value
nomine
kubernetes
display nomine
Kubernetes
HTML Propono Nomen
<img src="https://kubernetes.io/images/nav_logo.svg" width="400" >
Kubernetes per defaltam compescit utrum inscriptionem usoris confirmetur necne. Cum utemur servo nostro LDAP, haec perscriptio fere semper revertetur false
. Repraesentationem huius occasus in Kubernetes disablemus:
Clientem scopes -> Email -> Mappers -> inscriptio verificatur (Delere)
Nunc constituamus foederationem, ad hanc itur;
Foederatio User -> Provisor addere… -> ldap
Hic est exemplum setup pro FreeIPA:
option
Value
Console Propono Nomen
freeipa.example.org
Vendor
Red Hat Directory Server
UUID LDAP attributum
ipauniqueid
Connection URL
ldaps://freeipa.example.org
User DN
cn=users,cn=accounts,dc=example,dc=org
Liga DN
uid=keycloak-svc,cn=users,cn=accounts,dc=example,dc=org
Liga Credential
<password>
Patitur Kerberos authenticas:
on
Kerberos Regnum:
EXAMPLE.ORG
Servo principali:
HTTP/[email protected]
clavis tab:
/etc/krb5.keytab
User keycloak-svc
in antecessum pro nostro LDAP calculone creari debet.
In casu Directorii Active, simpliciter selectus Venditor: Active Directory et occasus necessarii inserantur in forma automatice.
torcular nisi
Nunc transeamus:
Foederatio User -> freeipa.example.org -> Mappers -> Praenomen
option
Value
Ldap attributum
givenName
Nunc da coetus destinata:
Foederatio User -> freeipa.example.org -> Mappers -> Create
option
Value
nomine
groups
Mapper type
group-ldap-mapper
LDAP Societates DN
cn=groups,cn=accounts,dc=example,dc=org
User Group Retrieve Strategy
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
Hoc perficit foederationem paroecialem, transeamus ad clientem constituendum.
Clientem setup
Novum clientem faciamus (applicatio quae users ex Keycloak accipiet). Abeamus:
clients -> Create
option
Value
id client
kubernetes
Type Access
confidenrial
radix URL
http://kubernetes.example.org/
Verum Redirect URIs
http://kubernetes.example.org/*
Admin URL
http://kubernetes.example.org/
Nos quoque causam circulorum creabimus:
Clientem scopes -> Create
option
Value
Home
No template
nomine
groups
Plena coetus iter
false
Et constitue eis mappam.
Clientem scopes -> Groups -> Mappers -> Create
option
Value
nomine
groups
Mapper Type
Group membership
Nomen indicium
groups
Nunc opus est ut coetus destinata in nostro ambitu clientis efficiat:
clients -> kubernetes -> Clientem scopes -> Default Client Scopes
eligens Groups в Praesto Client Scopes, press Adde electus
Nunc ad authenticas applicationis nostrae constituamus, veniamus ad:
clients -> kubernetes
option
Value
LICENTIA Enabled
ON
Sit scriptor dis salvum facere et hoc complet clientem habeat, nunc in tab
clients -> kubernetes -> documentorum
vos can adepto mysterium quo postea utemur.
Vestibulum Kubernetes
Constituere Kubernetes pro OIDC authoritate satis levis et non admodum implicata est. Omne quod debes facere, ponatur CA testimonium OIDC servi tui in . /etc/kubernetes/pki/oidc-ca.pem
ac necessarias optiones pro kube-apiservatori adde.
Hoc facere, renovatio /etc/kubernetes/manifests/kube-apiserver.yaml
in omnibus dominis tuis;
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.pem
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Ac etiam renovare kubeadm in botro config ut has occasus in renovatione non amittat;
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /etc/kubernetes/pki/oidc-ca.pem
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Hoc perficit Kubernetes. Hos gradus repetere potes per omnes racemos tuos Kubernetes.
Coepi LICENTIA
Post hos gradus, iam Kubernetes botrum habebis cum OIDC rato figuratum. Solum punctum est quod clientem tuum utentes nondum figuram habent, ac sua kubeconfig. Ad hanc solvendam quaestionem, editam kubeconfig usorum post felicem auctoritatem configurare debes.
Ad hoc faciendum, specialibus applicationibus interretialibus uti potes quae te utentem authenticitatis signo munire et kubeconfig deinde download. Una commodissima est
Kuberos configurare, satis est exemplum kubeconfig describere et cum sequentibus parametris currere;
kuberos https://keycloak.example.org/auth/realms/kubernetes kubernetes /cfg/secret /cfg/template
For more details see
Potest etiam uti
Inde kubeconfig potest sedatus in situ users[].user.auth-provider.config.id-token
ex tuo kubeconfig ad formam in situ et transcriptum ilicet.
RBAC setup
Cum RBAC configurans, utrumque usoris usoris referre potes name
in JWT indicium) et in coetus users (agri groups
in signum jwt). Hic est exemplum permissionum pro group kubernetes-default-namespace-admins
:
kubernetes-default-namespace-admins.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-admins
namespace: default
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-default-namespace-admins
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-admins
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: kubernetes-default-namespace-admins
Plura exempla pro RBAC inveniri possunt in
Procurare auth-procuratorem
Est admirabile project
ashboardday-proxy.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard-proxy
spec:
replicas: 1
template:
metadata:
labels:
app: kubernetes-dashboard-proxy
spec:
containers:
- args:
- --listen=0.0.0.0:80
- --discovery-url=https://keycloak.example.org/auth/realms/kubernetes
- --client-id=kubernetes
- --client-secret=<your-client-secret-here>
- --redirection-url=https://kubernetes-dashboard.example.org
- --enable-refresh-tokens=true
- --encryption-key=ooTh6Chei1eefooyovai5ohwienuquoh
- --upstream-url=https://kubernetes-dashboard.kube-system
- --resources=uri=/*
image: keycloak/keycloak-gatekeeper
name: kubernetes-dashboard-proxy
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
readinessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-proxy
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: kubernetes-dashboard-proxy
type: ClusterIP
Source: www.habr.com