Ose a'oa'oga pu'upu'u pe fa'apefea ona e fa'aogaina le Keycloak e fa'afeso'ota'i ai Kubernetes i lau 'au'aunaga LDAP ma fa'atulaga le fa'aulufale mai o tagata fa'aoga ma vaega. Ole mea lea ole a fa'atagaina oe e fa'atulaga le RBAC mo au tagata fa'aoga ma fa'aoga auth-proxy e puipui ai Kubernetes Dashboard ma isi tusi talosaga e le mafai ona fa'amaonia i latou lava.
Fa'apipi'i Keycloak
Se'i fa'apea ua iai sau server LDAP. Atonu o le Active Directory, FreeIPA, OpenLDAP po'o se isi lava mea. Afai e leai sau server LDAP, i le mataupu faavae e mafai ona e fatuina tagata faʻaoga saʻo i le Keycloak interface, pe faʻaaoga tagata lautele oidc (Google, Github, Gitlab), o le taunuuga o le a toetoe lava tutusa.
Muamua, se'i o tatou fa'apipi'i le Keycloak lava ia. O le fa'apipi'i e mafai ona fai fa'atasi pe tu'u sa'o i totonu ole fuifui Kubernetes. E masani lava, afai e tele au fuifui Kubernetes, e faigofie ona fa'apipi'i ese. I le isi itu e mafai ona e faʻaaogaina i taimi uma
Mo le teuina o faʻamatalaga Keycloak e te manaʻomia se faʻamaumauga. O le tulaga masani h2
(o faʻamatalaga uma o loʻo teuina i le lotoifale), ae e mafai foi ona faʻaoga postgres
, mysql
poʻo mariadb
.
Afai e te filifili pea e faʻapipiʻi ese Keycloak, o le ae mauaina nisi faʻamatalaga auiliili i totonu
Fa'atulagaina o feterale
Muamua, se'i o tatou faia se malo fou. Realm o le avanoa o la tatou talosaga. O talosaga ta'itasi e mafai ona iai lona lava malo ma fa'aoga eseese ma fa'atagaga fa'atagaga. O le malo Master e faʻaaogaina e Keycloak lava ia ma e sese le faʻaaogaina mo se isi lava mea.
Toto Faaopoopo malo
filifiliga
tāua
igoa
kubernetes
Faʻaalia le Igoa
Kubernetes
HTML Fa'aaliga Igoa
<img src="https://kubernetes.io/images/nav_logo.svg" width="400" >
E siaki e Kubernetes pe fa'amaonia le imeli a le tagata fa'aoga pe leai. Talu ai matou te fa'aogaina la matou lava LDAP server, o lenei siaki e toetoe lava a toe fo'i mai i taimi uma false
. Se'i tatou tape le fa'atusa o lenei filifiliga ile Kubernetes:
Aufaipisinisi lautele -> Email -> Mappers -> Email fa'amaonia (Ta'i'ese)
Sei o tatou faʻatulagaina le federasi; e fai lenei mea, alu i:
Fa'alapotopotoga fa'aoga -> Fa'aopoopo le kamupani... -> ldap
O se fa'ata'ita'iga lea o fa'atulagaga mo FreeIPA:
filifiliga
tāua
Igoa Fa'aali Console
freeipa.example.org
Tagata faʻatau
Red Hat Directory Server
UUID LDAP uiga
ipauniqueid
So'oga URL
ldaps://freeipa.example.org
Tagata fa'aoga DN
cn=users,cn=accounts,dc=example,dc=org
Nonoa DN
uid=keycloak-svc,cn=users,cn=accounts,dc=example,dc=org
Fa'amaonia Fa'amaonia
<password>
Fa'ataga Kerberos fa'amaoni:
on
Malo o Kerberos:
EXAMPLE.ORG
Pule A'oga Server:
HTTP/[email protected]
KeyTab:
/etc/krb5.keytab
Tagata faʻaaoga keycloak-svc
e mana'omia ona faia muamua i luga ole matou LDAP server.
I le tulaga o Active Directory, e tatau lava ona e filifili Fa'atau: Active Directory ma o tulaga talafeagai o le a otometi lava ona ulufale i le fomu.
Toto Sefe
Sei o tatou agai i luma:
Fa'alapotopotoga fa'aoga -> freeipa.example.org -> Mappers -> Igoa muamua
filifiliga
tāua
Ldap uiga
givenName
Ia tatou fa'agaoioi le fa'afanua vaega:
Fa'alapotopotoga fa'aoga -> freeipa.example.org -> Mappers -> faia
filifiliga
tāua
igoa
groups
Ituaiga Mapper
group-ldap-mapper
Vaega LDAP DN
cn=groups,cn=accounts,dc=example,dc=org
Vaega o Tagata Fa'aoga e toe aumai le fuafuaga
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
O lea la ua mae'a le fa'atulagaina o le federation, se'i tatou fa'agasolo i le fa'atulagaina o le kalani.
Seti tagata fa'atau
Sei o tatou faia se tagata fou (o se talosaga e maua ai tagata faʻaoga mai Keycloak). Sei tatou agai i luma:
tagata e faaaogāina auaunaga -> faia
filifiliga
tāua
Tagata faailoa ID
kubernetes
Avanoa Ituaiga
confidenrial
A'a URL
http://kubernetes.example.org/
URI toe fa'asa'o aoga
http://kubernetes.example.org/*
Pule URL
http://kubernetes.example.org/
Sei o tatou faia foi se avanoa mo vaega:
Tagata fa'atau -> faia
filifiliga
tāua
mamanu
No template
igoa
groups
Ala vaega atoa
false
Ma faatulaga se faafanua mo i latou:
Tagata fa'atau -> vaega -> Mappers -> faia
filifiliga
tāua
igoa
groups
Ituaiga Mapper
Group membership
Token Claim Igoa
groups
Ole taimi nei e mana'omia le fa'aogaina o le fa'afanua vaega i le lautele ole matou tagata fa'atau:
tagata e faaaogāina auaunaga -> kubernetes -> Tagata fa'atau -> Va'aiga Fa'atagata Fa'atonu
Tatou te filifili vaega в Avanoa Client Scope, lolomiina Faaopoopo ua filifilia
Sei o tatou faʻatulagaina le faʻamaoniga o la tatou talosaga, alu i:
tagata e faaaogāina auaunaga -> kubernetes
filifiliga
tāua
Fa'ataga Fa'atagaina
ON
Tatou fetaomi faʻaola ma o lea ua mae'a le setiina o tagata o tausia, ua i luga nei o le fa'amau
tagata e faaaogāina auaunaga -> kubernetes -> tusi faʻamaoni
e mafai ona e maua lilo lea o le a tatou faʻaaogaina atili.
Fa'atonu Kubernetes
O le faʻatulagaina o Kubernetes mo le faʻatagaina o le OIDC e fai si faʻatauvaʻa ma e le faigata tele. Pau lava le mea e tatau ona e faia o le tuʻuina lea o le tusi faamaonia CA o lau OIDC server i totonu /etc/kubernetes/pki/oidc-ca.pem
ma fa'aopoopo filifiliga talafeagai mo kube-apiserver.
Ina ia faia lenei mea, fa'afou /etc/kubernetes/manifests/kube-apiserver.yaml
i luga o o outou matai uma:
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.pem
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
E le gata i lea, faʻafou le kubeadm config i le fuifui ina ia aua neʻi leiloa nei tulaga pe a faʻafouina:
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /etc/kubernetes/pki/oidc-ca.pem
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Ua mae'a le seti Kubernetes. E mafai ona e toe faia laasaga nei i luga o au fuifui Kubernetes uma.
Fa'atagaga muamua
A maeʻa nei laʻasaga, o le a iai sau faʻapipiʻi Kubernetes faʻatasi ai ma le faʻatagaina o le OIDC. Pau lava le mea o au tagata faʻaoga e leʻi i ai se tagata faʻapipiʻiina poʻo a latou lava kubeconfig. Ina ia foia lenei faafitauli, e te manaʻomia le faʻatulagaina o le tufatufaina otometi o kubeconfig i tagata faʻaoga pe a maeʻa le faʻatagaina manuia.
Ina ia faia lenei mea, e mafai ona e faʻaogaina le upega tafaʻilagi faʻapitoa e faʻatagaina oe e faʻamaonia le tagata faʻaoga ona sii mai lea o le kubeconfig ua saunia. O se tasi o mea sili ona faigofie
Ina ia faʻapipiʻi Kuberos, naʻo le faʻamatalaina o le mamanu mo le kubeconfig ma faʻataʻitaʻi ma faʻamaufaʻailoga nei:
kuberos https://keycloak.example.org/auth/realms/kubernetes kubernetes /cfg/secret /cfg/template
Mo nisi fa'amatalaga tagai
E mafai foi ona faʻaaogaina
O le kubeconfig e maua mai e mafai ona siaki i luga o le upega tafaʻilagi users[].user.auth-provider.config.id-token
mai lau kubeconfig i le fomu i luga o le upega tafaʻilagi ma maua vave se tusitusiga.
Faʻatulagaina le RBAC
A faʻapipiʻi le RBAC, e mafai ona e vaʻai i le igoa ole igoa (field name
i le jwt token), ma tagata taʻitasi vaega (field groups
i le faailoga o le jwt). O se fa'ata'ita'iga lea o le fa'atulagaina o aia tatau mo se vaega kubernetes-default-namespace-admins
:
kubernetes-default-namespace-admins.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-admins
namespace: default
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-default-namespace-admins
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-admins
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: kubernetes-default-namespace-admins
E mafai ona maua nisi fa'ata'ita'iga mo le RBAC i totonu
Fa'atuina le auth-proxy
O loo i ai se galuega matagofie
dashboard-proxy.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard-proxy
spec:
replicas: 1
template:
metadata:
labels:
app: kubernetes-dashboard-proxy
spec:
containers:
- args:
- --listen=0.0.0.0:80
- --discovery-url=https://keycloak.example.org/auth/realms/kubernetes
- --client-id=kubernetes
- --client-secret=<your-client-secret-here>
- --redirection-url=https://kubernetes-dashboard.example.org
- --enable-refresh-tokens=true
- --encryption-key=ooTh6Chei1eefooyovai5ohwienuquoh
- --upstream-url=https://kubernetes-dashboard.kube-system
- --resources=uri=/*
image: keycloak/keycloak-gatekeeper
name: kubernetes-dashboard-proxy
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
readinessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-proxy
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: kubernetes-dashboard-proxy
type: ClusterIP
puna: www.habr.com