Phunziro lalifupi la momwe mungagwiritsire ntchito Keycloak kulumikiza Kubernetes ku seva yanu ya LDAP ndikukonzekera kuitanitsa kwa ogwiritsa ntchito ndi magulu. Izi zikuthandizani kukonza RBAC kwa ogwiritsa ntchito anu ndikugwiritsa ntchito auth-proxy kuteteza Kubernetes Dashboard ndi mapulogalamu ena omwe sangathe kudzitsimikizira okha.
Kuyika Keycloak
Tiyerekeze kuti muli ndi seva ya LDAP. Izi zitha kukhala Active Directory, FreeIPA, OpenLDAP kapena china chilichonse. Ngati mulibe seva ya LDAP, ndiye kuti mukhoza kupanga ogwiritsa ntchito mwachindunji mu mawonekedwe a Keycloak, kapena kugwiritsa ntchito oidc public providers (Google, Github, Gitlab), zotsatira zake zidzakhala pafupifupi zofanana.
Choyamba, tiyeni tiyike Keycloak yokha.Kuyika kungathe kuchitidwa mosiyana kapena mwachindunji mu gulu la Kubernetes.Mwalamulo, ngati muli ndi magulu angapo a Kubernetes, zingakhale zosavuta kuziyika mosiyana. Kumbali ina mutha kugwiritsa ntchito nthawi zonse ndikuyiyika mwachindunji mumagulu anu.
Kuti musunge data ya Keycloak mudzafunika database. Zosasintha ndizo h2 (deta zonse zimasungidwa kwanuko), komanso ndizotheka kugwiritsa ntchito postgres, mysql kapena mariadb.
Ngati mukuganizabe kukhazikitsa Keycloak padera, mupeza malangizo atsatanetsatane .
Kupanga Federation
Choyamba, tiyeni tipange dziko latsopano. Realm ndiye malo ogwiritsira ntchito. Ntchito iliyonse imatha kukhala ndi malo ake omwe ali ndi ogwiritsa ntchito osiyanasiyana komanso zosintha zololeza. Dziko la Master limagwiritsidwa ntchito ndi Keycloak palokha ndipo ndizolakwika kugwiritsa ntchito china chilichonse.
Dinani apa Onjezani dziko
yankho
mtengo
dzina
kubernetes
Dzina lowonetsa
Kubernetes
Dzina Lowonetsera HTML
<img src="https://kubernetes.io/images/nav_logo.svg" width="400" >
Kubernetes mwachisawawa amayang'ana ngati imelo ya wogwiritsa ntchitoyo yatsimikizika kapena ayi. Popeza timagwiritsa ntchito seva yathu ya LDAP, chekechi chimabwereranso nthawi zonse false. Tiyeni tiyimitse kuyimilira kwa chisankho ichi ku Kubernetes:
Makulidwe a kasitomala -> Email -> Amapu -> Imelo yatsimikiziridwa (Chotsani)
Tsopano tiyeni tikhazikitse chitaganya; kuti muchite izi, pitani ku:
User Federation -> Onjezani wopereka… -> ldap
Nachi chitsanzo cha makonda a FreeIPA:
yankho
mtengo
Dzina Lowonetsera Console
freeipa.example.org
Wogulitsa
Red Hat Directory Server
UUID LDAP chikhalidwe
ipauniqueid
Ulalo wolumikizana
ldaps://freeipa.example.org
Ogwiritsa DN
cn=users,cn=accounts,dc=example,dc=org
Mangani DN
uid=keycloak-svc,cn=users,cn=accounts,dc=example,dc=org
Bind Credential
<password>
Lolani kutsimikizira kwa Kerberos:
on
Dziko la Kerberos:
EXAMPLE.ORG
Mkulu wa Seva:
HTTP/[email protected]
KeyTab:
/etc/krb5.keytab
Wogwiritsa ntchito keycloak-svc ziyenera kupangidwa pasadakhale pa seva yathu ya LDAP.
Pankhani ya Active Directory, muyenera kusankha Wogulitsa: Active Directory ndipo zoikamo zofunika adzalowa mu mawonekedwe basi.
Dinani apa Save
Tsopano tiyeni tipitirire:
User Federation -> freeipa.example.org -> Amapu -> Dzina loyamba
yankho
mtengo
Ldap chikhalidwe
givenName
Tsopano tiyeni titsegule mapu amagulu:
User Federation -> freeipa.example.org -> Amapu -> Pangani
yankho
mtengo
dzina
groups
Mtundu wa mapu
group-ldap-mapper
Magulu a LDAP DN
cn=groups,cn=accounts,dc=example,dc=org
Magulu Ogwiritsa Ntchito Amapezanso Njira
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
Tsopano popeza kukhazikitsidwa kwa federal kwatha, tiyeni tipitilize kukhazikitsa kasitomala.
Kukonzekera kwa kasitomala
Tiyeni tipange kasitomala watsopano (pulogalamu yomwe ingalandire ogwiritsa ntchito kuchokera ku Keycloak). Tiyeni tipitirire:
Otsatsa -> Pangani
yankho
mtengo
Chidziwitso cha Makasitomala
kubernetes
Mtundu Wofikira
confidenrial
URL ya mizu
http://kubernetes.example.org/
Ma URIs Ovomerezeka
http://kubernetes.example.org/*
Admin URL
http://kubernetes.example.org/
Tipangenso kuchuluka kwamagulu:
Kuchuluka kwa Makasitomala -> Pangani
yankho
mtengo
Chinsinsi
No template
dzina
groups
Njira yamagulu athunthu
false
Ndipo kuwakonzera mapu:
Kuchuluka kwa Makasitomala -> magulu -> Amapu -> Pangani
yankho
mtengo
dzina
groups
Mtundu wa Mapper
Group membership
Dzina Lofuna Chizindikiro
groups
Tsopano tikuyenera kuyatsa gulu lojambula pamakasitomala athu:
Otsatsa -> kubernetes -> Kuchuluka kwa Makasitomala -> Zosasinthika za Makasitomala
Sankhani magulu в Kupezeka kwa Makasitomala, kanda Onjezani osankhidwa
Tsopano tiyeni tikonze kutsimikizika kwa pulogalamu yathu, pitani ku:
Otsatsa -> kubernetes
yankho
mtengo
Chilolezo Chayatsidwa
ON
Tiyeni tisindikize sungani ndipo ndi izi kukhazikitsidwa kwa kasitomala kwatha, tsopano pa tabu
Otsatsa -> kubernetes -> Zodziwika
mukhoza kupeza chinsinsi zomwe tizigwiritsanso ntchito.
Kukonza Kubernetes
Kukhazikitsa Kubernetes kwa chilolezo cha OIDC ndikosavuta komanso kosavuta. Zomwe muyenera kuchita ndikuyika satifiketi ya CA ya seva yanu ya OIDC /etc/kubernetes/pki/oidc-ca.pem ndikuwonjezera zosankha zofunika za kube-apiserver.
Kuti muchite izi, sinthani /etc/kubernetes/manifests/kube-apiserver.yaml pa ambuye anu onse:
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.pem
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...Komanso, sinthani kasinthidwe ka kubeadm mgululi kuti musataye zoikika izi mukakonza:
kubectl edit -n kube-system configmaps kubeadm-config...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /etc/kubernetes/pki/oidc-ca.pem
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...Izi zimamaliza Kubernetes kasinthidwe. Mutha kubwereza izi m'magulu anu onse a Kubernetes.
Chilolezo choyamba
Pambuyo pa izi, mudzakhala kale ndi gulu la Kubernetes lomwe lili ndi chilolezo cha OIDC chokhazikika. Chokhacho ndichakuti ogwiritsa ntchito alibe kasitomala wokhazikika kapena kubeconfig yawoyawo. Kuti muthane ndi vutoli, muyenera kukonza kugawa kwa kubeconfig kwa ogwiritsa ntchito mutavomereza bwino.
Kuti muchite izi, mutha kugwiritsa ntchito mapulogalamu apadera a intaneti omwe amakulolani kutsimikizira wogwiritsa ntchito ndikutsitsa kubeconfig okonzeka. Chimodzi mwazothandiza kwambiri ndi , imakulolani kufotokoza magulu onse a Kubernetes mu kasinthidwe kamodzi ndikusintha mosavuta pakati pawo.
Kuti mukonze Kuberos, ingofotokozani template ya kubeconfig ndikuyiyendetsa ndi magawo awa:
kuberos https://keycloak.example.org/auth/realms/kubernetes kubernetes /cfg/secret /cfg/templateKuti mudziwe zambiri onani pa Github.
N'zothekanso ntchito ngati mukufuna kuvomereza mwachindunji pa kompyuta ya wosuta. Pamenepa, wogwiritsa ntchito adzatsegula msakatuli ndi fomu yovomerezeka pa localhost.
Zotsatira za kubeconfig zitha kuwonedwa patsamba . Ingotengera mtengo users[].user.auth-provider.config.id-token kuchokera ku kubeconfig mpaka fomu yomwe ili patsamba lanu ndipo nthawi yomweyo mulandire cholembedwa.
Kupanga RBAC
Mukakonza RBAC, mutha kutchula dzina lolowera (munda name mu chizindikiro cha jwt), ndi gulu la ogwiritsa ntchito (munda groups mu chizindikiro cha jwt). Pano pali chitsanzo chokhazikitsa maufulu a gulu kubernetes-default-namespace-admins:
kubernetes-default-namespace-admins.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-admins
namespace: default
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-default-namespace-admins
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-admins
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: kubernetes-default-namespace-adminsZitsanzo zambiri za RBAC zitha kupezeka mkati
kukhazikitsa kwa auth-proxy
Pali ntchito yodabwitsa , zomwe zimakulolani kuti muteteze pulogalamu iliyonse popatsa wogwiritsa ntchito mphamvu yotsimikizira ku seva ya OIDC. Ndikuwonetsani momwe mungasinthire pogwiritsa ntchito Kubernetes Dashboard monga chitsanzo:
dashboard-proxy.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard-proxy
spec:
replicas: 1
template:
metadata:
labels:
app: kubernetes-dashboard-proxy
spec:
containers:
- args:
- --listen=0.0.0.0:80
- --discovery-url=https://keycloak.example.org/auth/realms/kubernetes
- --client-id=kubernetes
- --client-secret=<your-client-secret-here>
- --redirection-url=https://kubernetes-dashboard.example.org
- --enable-refresh-tokens=true
- --encryption-key=ooTh6Chei1eefooyovai5ohwienuquoh
- --upstream-url=https://kubernetes-dashboard.kube-system
- --resources=uri=/*
image: keycloak/keycloak-gatekeeper
name: kubernetes-dashboard-proxy
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
readinessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-proxy
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: kubernetes-dashboard-proxy
type: ClusterIPSource: www.habr.com