Ka whakaatu atu ahau ki a koe he akoranga mo te whakaputa uru ki te roopu Kubernetes ma te whakamahi i te Dex, dex-k8s-authenticator me GitHub.
Ko nga meme o te rohe mai i nga korero a Kubernetes reo Ruhia
Whakataki
Ka whakamahi matou i nga Kubernetes ki te hanga taiao hihiri mo te whanaketanga me te roopu QA. Na e hiahia ana matou ki te hoatu ki a ratou te uru ki te tautau mo te papatohu me te kubectl. Kaore i rite ki a OpenShift, kahore he motuhēhēnga taketake o vanilla Kubernetes, no reira ka whakamahia e matou nga taputapu tuatoru mo tenei.
I tenei whirihoranga ka whakamahia e matou:
- — tono paetukutuku mo te whakaputa kubectl config
- — Kaiwhakarato OpenID Connect
- GitHub - na te mea ka whakamahia e matou a GitHub i roto i ta maatau kamupene
I ngana matou ki te whakamahi i a Google OIDC, engari ko matou ki te timata i a raatau me nga roopu, na te whakaurunga ki a GitHub he pai ki a maatau. Ki te kore he mahere a-rōpū, kaore e taea te hanga kaupapa here RBAC i runga i nga roopu.
Na, me pehea te mahi a to tatou tukanga whakamanatanga Kubernetes i roto i te whakaaturanga ataata:
Te tukanga whakamana
He iti ake nga korero me te tohu ma te tohu:
- Ka takiuru te kaiwhakamahi ki te dex-k8s-authenticator (
login.k8s.example.com) - Ka tukuna e dex-k8s-authenticator te tono ki a Dex (
dex.k8s.example.com) - Ka huri a Dex ki te wharangi takiuru GitHub
- Ka hangaia e GitHub nga korero whakamana e tika ana, ka whakahokia ki a Dex
- Ka tukuna e Dex nga korero kua riro ki te dex-k8s-authenticator
- Ka whiwhi te kaiwhakamahi i tetahi tohu OIDC mai i GitHub
- Ko te dex-k8s-authenticator te taapiri tohu ki te kubeconfig
- Ka tukuna e kubectl te tohu ki a KubeAPIServer
- Ka whakahokia e KubeAPIServer nga urunga ki te kubectl i runga i te tohu kua paahitia
- Ka uru te kaiwhakamahi mai i te kubectl
Nga Mahi Whakarite
Ae ra, kua whakauruhia he kahui Kubernetes (k8s.example.com), ka tae mai ano me te HELM kua oti te whakauru. He whakahaere ano ta matou mo GitHub (super-org).
Mena karekau he HELM, whakauruhia .
Tuatahi me whakarite a GitHub.
Haere ki te wharangi tautuhinga whakahaere, (https://github.com/organizations/super-org/settings/applications) ka waihangahia he tono hou (Taupāpa OAuth Whakamana):
Te hanga tono hou ki GitHub
Whakakiia nga mara ki nga URL e tika ana, hei tauira:
- URL whārangi kāinga:
https://dex.k8s.example.com - Whakaaetanga hokinga URL:
https://dex.k8s.example.com/callback
Kia tupato ki nga hononga, he mea nui kia kaua e ngaro nga whiu.
Hei whakautu ki tetahi puka kua oti, ka whakaputa a GitHub Client ID и Client secret, kia mau ki tetahi waahi haumaru, ka whai hua ki a maatau (hei tauira, ka whakamahia e matou mo te rokiroki mea ngaro):
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
Whakaritehia nga rekoata DNS mo nga subdomains login.k8s.example.com и dex.k8s.example.com, me nga tiwhikete SSL mo te whakauru.
Me hanga tiwhikete SSL:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
ClusterIssuer me te taitara le-clusterissuer me noho kē, engari ki te kore, hangahia ma te whakamahi HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOFwhirihoranga KubeAPIServer
Kia mahi ai te kubeAPIServer, me whirihora koe i te OIDC me te whakahou i te tautau:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yesKa whakamahia e maatau mo te tohatoha tautau, engari he rite tonu te mahi mo tenei .
Te whirihoranga Dex me te dex-k8s-authenticator
Kia mahi a Dex, me whai tiwhikete koe me tetahi kii mai i te rangatira Kubernetes, me tiki mai i reira:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----Me kapohia te dex-k8s-authenticator putunga:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/Ma te whakamahi i nga konae uara, ka taea e taatau te whirihora i nga taurangi mo taatau .
Me whakaahua te whirihoranga mo Dex:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
Mo te dex-k8s-authenticator:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOFTāutahia te Dex me te dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticatorKia tirohia te mahi o nga ratonga (Me whakahoki e Dex te waehere 400, me whakahoki e te dex-k8s-authenticator te waehere 200):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200RBAC whirihoranga
Ka hangaia e matou he ClusterRole mo te roopu, i roto i a maatau me te uru panui-anake:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOFMe hanga he whirihoranga mo ClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOFInaianei kua rite taatau mo te whakamatautau.
Nga whakamatautau
Haere ki te wharangi takiuru (https://login.k8s.example.com) ka takiuru ma te whakamahi i to putea GitHub:
Whārangi takiuru
Ko te whaarangi takiuru kua tukuna ki GitHub
Whaia nga tohutohu i hangaia kia whai waahi
Whai muri i te kape-piri mai i te wharangi paetukutuku, ka taea e matou te whakamahi kubectl ki te whakahaere i a matou rauemi roopu:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
A ka pai, ka taea e nga kaiwhakamahi GitHub katoa i roto i ta maatau whakahaere te kite i nga rauemi me te takiuru ki nga poti, engari kaore o raatau mana ki te whakarereke.
Source: will.com