He akoranga iti mo te whakamahi Keycloak ki te hono i nga Kubernetes ki to tūmau LDAP me te whakarite kawemai o nga kaiwhakamahi me nga roopu. Ma tenei ka taea e koe te whakarite RBAC mo o kaiwhakamahi me te whakamahi i te takawaenga mana hei tiaki i te Papatohu Kubernetes me etahi atu tono kaore e mohio ki te whakamana i a raatau ano.
Tāutanga Kīkī
Me whakaaro kei a koe he tūmau LDAP. Ko tenei pea ko Active Directory, FreeIPA, OpenLDAP, tetahi atu mea ranei. Mena karekau he tūmau LDAP, ma te maapono ka taea e koe te hanga kaiwhakamahi tika ki te atanga Keycloak, ka whakamahi ranei i nga kaiwhakarato oidc whanui (Google, Github, Gitlab), ka rite tonu te hua.
Tuatahi, me whakauru ano i a Keycloak ake, ka taea te whakaurunga motuhake, ka tika ranei ki te kahui Kubernetes, hei tikanga, mena he maha o nga tautau Kubernetes, he maamaa ake te whakauru motuhake. I tetahi atu ringa, ka taea e koe te whakamahi i nga wa katoa
Hei rokiroki i nga raraunga Keycloak, ka hiahia koe ki te papanga raraunga. Ko te taunoa ko h2
(Kei te rongoa nga raraunga katoa i te rohe), engari ka taea hoki te whakamahi postgres
, mysql
ranei mariadb
.
Mena ka whakatau tonu koe ki te whakauru motuhake i a Keycloak, ka kitea e koe etahi atu tohutohu taipitopito i roto
Tatūnga Federation
Tuatahi, me hanga he ao hou. Ko Realm te waahi o ta maatau tono. Ka taea e ia tono tona ake rangatiratanga me nga kaiwhakamahi rereke me nga tautuhinga whakamana. Ko te rangatiratanga rangatira e whakamahia ana e Keycloak ake me te whakamahi mo tetahi atu mea he he.
РќР ° жимР° РμРј Tāpiri rangatiratanga
kōwhiringa
uara
ingoa
kubernetes
Ingoa Whakaatu
Kubernetes
Ingoa Whakaatu HTML
<img src="https://kubernetes.io/images/nav_logo.svg" width="400" >
Ka taki taunoa a Kubernetes mena kua whakamanahia te imeera a te kaiwhakamahi, kaore ranei. I te mea kei te whakamahi matou i ta matou ake tūmau LDAP, tata tonu ka hoki mai tenei haki false
. Me whakakorehia te ahua o tenei whiringa ki Kubernetes:
Nga waahanga o nga kaihoko -> īmēra -> Nga Maherehere -> kua whakamanahia te imeera (Muku)
Inaianei me whakatu e tatou te federation; ki te mahi i tenei, haere ki:
Huihuinga Kaiwhakamahi -> Tāpiri kaiwhakarato… -> whakakahore
Anei he tauira tatūnga mo FreeIPA:
kōwhiringa
uara
Ingoa Whakaaturanga Papatohu
freeipa.example.org
Kaihoko
Red Hat Directory Server
UUID LDAP huanga
ipauniqueid
Hononga URL
ldaps://freeipa.example.org
Kaiwhakamahi DN
cn=users,cn=accounts,dc=example,dc=org
Herea DN
uid=keycloak-svc,cn=users,cn=accounts,dc=example,dc=org
Herea Tikanga
<password>
Whakaaetia a Kerberos motuhēhēnga:
on
Whenua Kerberos:
EXAMPLE.ORG
Tumuaki Tūmau:
HTTP/[email protected]
Ripa Matua:
/etc/krb5.keytab
Kaiwhakamahi keycloak-svc
me hanga i mua i runga i ta maatau tūmau LDAP.
Mo te Active Directory, tohua noa Kaihoko: Active Directory a ka whakauruhia nga tautuhinga e tika ana ki te puka.
РќР ° жимР° РμРј Tiaki
Inaianei kia haere tonu:
Huihuinga Kaiwhakamahi -> freeipa.example.org -> Nga Maherehere -> ingoa tuatahi
kōwhiringa
uara
Ldap huanga
givenName
Inaianei ka taea e taatau te mapi roopu:
Huihuinga Kaiwhakamahi -> freeipa.example.org -> Nga Maherehere -> Waihanga
kōwhiringa
uara
ingoa
groups
Momo Mahere
group-ldap-mapper
Rōpū LDAP DN
cn=groups,cn=accounts,dc=example,dc=org
Rautaki Tiaki Rōpū Kaiwhakamahi
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
Ka oti te tatūnga o te federation, me haere ki te whakatu i te kiritaki.
Tatūnga Kiritaki
Me hanga he kiritaki hou (he tono ka whiwhi kaiwhakamahi mai i te Keycloak). Me haere tonu tatou:
kiritaki -> Waihanga
kōwhiringa
uara
ID Kaihoko
kubernetes
Momo Uru
confidenrial
URL pakiaka
http://kubernetes.example.org/
Nga URI Whakaarahia Whaimana
http://kubernetes.example.org/*
URL Kaiwhakahaere
http://kubernetes.example.org/
Ka hanga ano e matou he waahi mo nga roopu:
Nga waahanga o nga kaihoko -> Waihanga
kōwhiringa
uara
tātauira
No template
ingoa
groups
Ara roopu katoa
false
Whakaturia he mahere ma ratou:
Nga waahanga o nga kaihoko -> rōpū -> Nga Maherehere -> Waihanga
kōwhiringa
uara
ingoa
groups
Momo Mahere
Group membership
Ingoa Kerēme Tohu
groups
Inaianei me whakaahei maatau te mapi-a-rōpū i roto i to taatau kiritaki:
kiritaki -> kubernetes -> Nga waahanga o nga kaihoko -> Nga Waahanga Kiritaki Taunoa
Kōwhiri rōpū в Nga Mahinga Kiritaki E waatea anapāwhiri Tāpirihia kua tohua
Inaianei me whakarite te motuhēhēnga o tā mātou tono, haere ki:
kiritaki -> kubernetes
kōwhiringa
uara
Whakamana Whakamana
ON
Kia pehi tatou whakaora a na tenei kua oti te tatūnga kiritaki, inaianei kei te ripa
kiritaki -> kubernetes -> taipitopito
ka taea e koe te tiki Secret ka whakamahia e matou i muri mai.
Te whirihora i nga Kubernetes
Ko te whakatu i nga Kubernetes mo te whakamanatanga OIDC he mea iti noa, ehara i te mea tino uaua. Ko nga mea katoa e hiahia ana koe ki te whakauru i te tiwhikete CA o to tūmau OIDC ki roto /etc/kubernetes/pki/oidc-ca.pem
me te taapiri i nga whiringa e tika ana mo te kube-apiserver.
Ki te mahi i tenei, whakahou /etc/kubernetes/manifests/kube-apiserver.yaml
i runga i o koutou rangatira katoa:
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.pem
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Me whakahou ano i te kubeadm config i roto i te tautau kia kore ai e ngaro enei tautuhinga i te wa o te whakahou:
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /etc/kubernetes/pki/oidc-ca.pem
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Ka oti te tatūnga Kubernetes. Ka taea e koe te tukurua i enei mahi puta noa i o huinga Kubernetes katoa.
Whakaaetanga Tuatahi
Whai muri i enei mahi, ka whiwhi koe i te roopu Kubernetes kua whirihorahia te mana OIDC. Ko te mea anake ko te mea kaore ano kia whirihorahia e o kaiwhakamahi he kiritaki, me o raatau ake kubeconfig. Hei whakaoti i tenei raru, me whirihora e koe te tuku aunoa o te kubeconfig ki nga kaiwhakamahi i muri i te whakamanatanga angitu.
Ki te mahi i tenei, ka taea e koe te whakamahi i nga tono tukutuku motuhake ka taea e koe te whakamotuhēhē i te kaiwhakamahi me te tango i te kubeconfig kua oti. Ko tetahi o nga mea tino watea
Hei whirihora i a Kuberos, he nui noa te whakaahua i te tauira mo te kubeconfig me te whakahaere me nga tawhā e whai ake nei:
kuberos https://keycloak.example.org/auth/realms/kubernetes kubernetes /cfg/secret /cfg/template
Mo etahi atu korero tirohia
Ka taea hoki te whakamahi
Ka taea te tirotiro i te kubeconfig i runga i te pae users[].user.auth-provider.config.id-token
mai i to kubeconfig ki tetahi puka i runga i te pae ka tiki i te tuhinga i tenei wa tonu.
Whakaritenga RBAC
I te wa e whirihora ana i te RBAC, ka taea e koe te korero ki nga ingoa ingoa e rua (field name
i roto i te tohu jwt) me te roopu o nga kaiwhakamahi (field groups
i roto i te tohu jwt). Anei tetahi tauira o te whakatakoto whakaaetanga mo tetahi roopu kubernetes-default-namespace-admins
:
kubernetes-default-namespace-admins.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-admins
namespace: default
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-default-namespace-admins
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-admins
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: kubernetes-default-namespace-admins
Ka kitea etahi atu tauira mo te RBAC i roto
Te tautuhi mana-takawaenga
He kaupapa whakamiharo
papatohu-proxy.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard-proxy
spec:
replicas: 1
template:
metadata:
labels:
app: kubernetes-dashboard-proxy
spec:
containers:
- args:
- --listen=0.0.0.0:80
- --discovery-url=https://keycloak.example.org/auth/realms/kubernetes
- --client-id=kubernetes
- --client-secret=<your-client-secret-here>
- --redirection-url=https://kubernetes-dashboard.example.org
- --enable-refresh-tokens=true
- --encryption-key=ooTh6Chei1eefooyovai5ohwienuquoh
- --upstream-url=https://kubernetes-dashboard.kube-system
- --resources=uri=/*
image: keycloak/keycloak-gatekeeper
name: kubernetes-dashboard-proxy
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
readinessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-proxy
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: kubernetes-dashboard-proxy
type: ClusterIP
Source: will.com