Ndikukupatsirani maphunziro opangira mwayi wofikira gulu la Kubernetes pogwiritsa ntchito Dex, dex-k8s-authenticator ndi GitHub.
Meme yakomweko yochokera ku Kubernetes ya chilankhulo cha Chirasha
Mau oyamba
Timagwiritsa ntchito Kubernetes kuti tipange malo osinthika achitukuko ndi gulu la QA. Chifukwa chake tikufuna kuwapatsa mwayi wofikira gulu la dashboard ndi kubectl. Mosiyana ndi OpenShift, vanila Kubernetes alibe kutsimikizika kwawoko, chifukwa chake timagwiritsa ntchito zida za chipani chachitatu pa izi.
Mu kasinthidwe awa timagwiritsa ntchito:
dex-k8s-chitsimikiziro - pulogalamu yapaintaneti yopanga kubectl configdex - Wothandizira OpenID Connect- GitHub - chifukwa chakuti timagwiritsa ntchito GitHub pakampani yathu
Tinayesa kugwiritsa ntchito Google OIDC, koma mwatsoka ife
Chifukwa chake, njira yathu yovomerezeka ya Kubernetes imagwira ntchito bwanji pazithunzi:
Njira yovomerezeka
Tsatanetsatane pang'ono ndi mfundo ndi mfundo:
- Wogwiritsa amalowa mu dex-k8s-authenticator (
login.k8s.example.com
) - dex-k8s-authenticator imatumiza pempho kwa Dex (
dex.k8s.example.com
) - Dex akulozeranso patsamba lolowera la GitHub
- GitHub imapanga chidziwitso chofunikira chovomerezeka ndikuchibwezera ku Dex
- Dex amapititsa zomwe adalandira ku dex-k8s-authenticator
- Wogwiritsa amalandira chizindikiro cha OIDC kuchokera ku GitHub
- dex-k8s-authenticator imawonjezera chizindikiro ku kubeconfig
- kubectl amadutsa chizindikiro ku KubeAPIServer
- KubeAPIServer imabweretsanso mwayi wopezeka ku kubectl kutengera chizindikiro chomwe chadutsa
- Wogwiritsa amapeza mwayi kuchokera ku kubectl
Zochita zokonzekera
Zachidziwikire, tili ndi gulu la Kubernetes lomwe lakhazikitsidwa (k8s.example.com
), ndipo imabweranso ndi HELM yoyikiratu. Tilinso ndi bungwe pa GitHub (super-org).
Ngati mulibe HELM, yikani
Choyamba tiyenera kukhazikitsa GitHub.
Pitani ku tsamba lokhazikitsira bungwe, (https://github.com/organizations/super-org/settings/applications
) ndikupanga pulogalamu yatsopano (App Authorized OAuth):
Kupanga pulogalamu yatsopano pa GitHub
Lembani minda ndi ma URL ofunikira, mwachitsanzo:
- Ulalo watsamba lofikira:
https://dex.k8s.example.com
- Ulalo woyimbanso wovomerezeka:
https://dex.k8s.example.com/callback
Samalani ndi maulalo, ndikofunikira kuti musataye ma slashes.
Poyankha fomu yomalizidwa, GitHub ipanga Client ID
и Client secret
, zisungeni pamalo otetezeka, zitha kukhala zothandiza kwa ife (mwachitsanzo, timagwiritsa ntchito
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
Konzani zolemba za DNS zama subdomains login.k8s.example.com
и dex.k8s.example.com
, komanso ziphaso za SSL za ingress.
Tiyeni tipange ziphaso za SSL:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
ClusterIssuer yokhala ndi mutu le-clusterissuer
ziyenera kukhalapo kale, koma ngati sichoncho, pangani pogwiritsa ntchito HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOF
KubeAPIServer kasinthidwe
Kuti kubeAPIServer igwire ntchito, muyenera kukonza OIDC ndikusintha gululo:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yes
Timagwiritsa ntchito
Kusintha kwa Dex ndi dex-k8s-authenticator
Kuti Dex agwire ntchito, muyenera kukhala ndi satifiketi ndi kiyi kuchokera kwa mbuye wa Kubernetes, tipeze kuchokera pamenepo:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
Tiyeni tifananize chosungira cha dex-k8s-authenticator:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/
Pogwiritsa ntchito mafayilo amtengo wapatali, titha kusintha zosinthika zathu
Tiyeni tifotokoze masinthidwe a Dex:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
Ndipo kwa dex-k8s-authenticator:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOF
Ikani Dex ndi dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticator
Tiyeni tiwone momwe ntchito zikuyendera (Dex abweze khodi 400, ndipo dex-k8s-authenticator iyenera kubweza khodi 200):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200
Kusintha kwa RBAC
Timapanga ClusterRole ya gulu, kwa ife ndi mwayi wowerenga-okha:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOF
Tiyeni tipange kasinthidwe ka ClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOF
Tsopano takonzeka kuyesa.
Mayesero
Pitani ku tsamba lolowera (https://login.k8s.example.com
) ndikulowa pogwiritsa ntchito akaunti yanu ya GitHub:
Tsamba lolowera
Tsamba lolowera ku GitHub
Tsatirani malangizo opangidwa kuti mupeze mwayi
Pambuyo polemba patsamba, titha kugwiritsa ntchito kubectl kuyang'anira magulu athu:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
Ndipo zimagwira ntchito, ogwiritsa ntchito onse a GitHub mgulu lathu amatha kuwona zothandizira ndikulowa m'matumba, koma alibe ufulu wosintha.
Source: www.habr.com