ProHoster > Blog > Utongi > Simbisa muKubernetes uchishandisa GitHub OAuth uye Dex

Simbisa muKubernetes uchishandisa GitHub OAuth uye Dex

Ini ndinopa kune kutarisisa kwako dzidziso yekugadzira kupinda kune Kubernetes cluster uchishandisa Dex, dex-k8s-authenticator uye GitHub.

Simbisa muKubernetes uchishandisa GitHub OAuth uye Dex
Local meme kubva kuRussia-mutauro Kubernetes chat in teregiramu

Nhanganyaya

Isu tinoshandisa Kubernetes kugadzira nharaunda dzakasimba dzekusimudzira uye QA timu. Saka isu tinoda kuvapa mukana kune cluster yezvose zviri zviviri dashboard uye kubectl. Kusiyana neOpenShift, vanilla Kubernetes haina chokwadi chekuzvarwa, saka isu tinoshandisa yechitatu-bato maturusi eizvi.

Muchigadziro ichi tinoshandisa:

  • dex-k8s-authenticatorβ€Š -web application yekugadzira kubectl config
  • Dex - OpenID Batanidza mupi
  • GitHub - kungoti isu tinoshandisa GitHub mukambani yedu

Takaedza kushandisa Google OIDC, asi zvinosuwisa isu zvakundikana kuvatanga nemapoka, saka kubatanidzwa neGitHub kwakatikodzera chaizvo. Pasina mepu yeboka, hazvizogone kugadzira marongero eRBAC zvichienderana nemapoka.

Saka, yedu Kubernetes mvumo process inoshanda sei mune inomiririra inomiririra:

Simbisa muKubernetes uchishandisa GitHub OAuth uye Dex
Mvumo nzira

Rumwe ruzivo rwakawedzera uye point by point:

  1. Mushandisi anopinda mu dex-k8s-authenticator (login.k8s.example.com)
  2. dex-k8s-authenticator inoendesa mberi chikumbiro kuna Dex (dex.k8s.example.com)
  3. Dex inodzosera kune iyo GitHub login peji
  4. GitHub inogadzira ruzivo rwakakosha rwemvumo uye inodzosera kuDex
  5. Dex inopfuudza ruzivo rwakagamuchirwa kune dex-k8s-authenticator
  6. Mushandisi anogamuchira chiratidzo cheOIDC kubva kuGitHub
  7. dex-k8s-authenticator inowedzera chiratidzo kune kubeconfig
  8. kubectl inopfuudza chiratidzo kuKubeAPIServer
  9. KubeAPIServer inodzorera masvikiro ku kubectl zvichibva pane yakapfuura tokeni
  10. Mushandisi anowana mukana kubva kubectl

Zviito zvekugadzirira

Ehe, isu tatova neKubernetes cluster yakaiswa (k8s.example.com), uye inouyawo neHELM pre-yakaiswa. Isu tinewo sangano paGitHub (super-org).
Kana usina HELM, isa zvakanyanya nyore.

Kutanga isu tinofanirwa kuseta GitHub.

Enda kune peji rezvirongwa zvesangano, (https://github.com/organizations/super-org/settings/applications) uye gadzira chishandiso chitsva (Yakatenderwa OAuth App):
Simbisa muKubernetes uchishandisa GitHub OAuth uye Dex
Kugadzira chishandiso chitsva paGitHub

Zadza minda nema URL anodiwa, semuenzaniso:

  • URL yekumba: https://dex.k8s.example.com
  • Mvumo yekufona back URL: https://dex.k8s.example.com/callback

Chenjerera nezvisungo, zvakakosha kuti urege kurasikirwa nemarashi.

Mukupindura fomu rakapedzwa, GitHub ichagadzira Client ID ΠΈ Client secret, zvichengete munzvimbo yakachengeteka, zvichatibatsira (somuenzaniso, tinoshandisa rakatenderera zvekuchengeta zvakavanzika):

Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1

Gadzirira DNS zvinyorwa zvema subdomain login.k8s.example.com ΠΈ dex.k8s.example.com, pamwe neSSL zvitupa zvekupinda.

Ngatigadzire zvitupa zveSSL:

cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-auth-dex
  namespace: kube-system
spec:
  secretName: cert-auth-dex
  dnsNames:
    - dex.k8s.example.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - dex.k8s.example.com
  issuerRef:
    name: le-clusterissuer
    kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-auth-login
  namespace: kube-system
spec:
  secretName: cert-auth-login
  dnsNames:
    - login.k8s.example.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - login.k8s.example.com
  issuerRef:
    name: le-clusterissuer
    kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system

ClusterIssuer ine zita le-clusterissuer inofanira kutovapo, asi kana zvisiri, igadzire uchishandisa HELM:

helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: le-clusterissuer
  namespace: kube-system
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: le-clusterissuer
    http01: {}
EOF

KubeAPIServer kumisikidza

Kuti kubeAPIServer ishande, unofanirwa kugadzirisa OIDC uye kugadzirisa sumbu:

kops edit cluster
...
  kubeAPIServer:
    anonymousAuth: false
    authorizationMode: RBAC
    oidcClientID: dex-k8s-authenticator
    oidcGroupsClaim: groups
    oidcIssuerURL: https://dex.k8s.example.com/
    oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yes

Tinoshandisa kops yekuendesa masumbu, asi izvi zvinoshanda zvakafanana kune mamwe maneja emapoka.

Dex gadziriso uye dex-k8s-authenticator

Kuti Dex ashande, iwe unofanirwa kuve uine chitupa uye kiyi kubva kuna Kubernetes tenzi, ngatitore kubva ipapo:

sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----

Ngatitorei dex-k8s-authenticator repository:

git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/

Tichishandisa mafaera akakosha, isu tinokwanisa kuchinjika kumisikidza akasiyana edu HELM chati.

Ngatitsanangure kumisikidzwa kweDex:

cat << EOF > values-dex.yml
global:
  deployEnv: prod
tls:
  certificate: |-
    -----BEGIN CERTIFICATE-----
    AAAAAAAAAAABBBBBBBBBBCCCCCC
    -----END CERTIFICATE-----
  key: |-
    -----BEGIN RSA PRIVATE KEY-----
    DDDDDDDDDDDEEEEEEEEEEFFFFFF
    -----END RSA PRIVATE KEY-----
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
  path: /
  hosts:
    - dex.k8s.example.com
  tls:
    - secretName: cert-auth-dex
      hosts:
        - dex.k8s.example.com
serviceAccount:
  create: true
  name: dex-auth-sa
config: |
  issuer: https://dex.k8s.example.com/
  storage: # https://github.com/dexidp/dex/issues/798
    type: sqlite3
    config:
      file: /var/dex.db
  web:
    http: 0.0.0.0:5556
  frontend:
    theme: "coreos"
    issuer: "Example Co"
    issuerUrl: "https://example.com"
    logoUrl: https://example.com/images/logo-250x25.png
  expiry:
    signingKeys: "6h"
    idTokens: "24h"
  logger:
    level: debug
    format: json
  oauth2:
    responseTypes: ["code", "token", "id_token"]
    skipApprovalScreen: true
  connectors:
  - type: github
    id: github
    name: GitHub
    config:
      clientID: $GITHUB_CLIENT_ID
      clientSecret: $GITHUB_CLIENT_SECRET
      redirectURI: https://dex.k8s.example.com/callback
      orgs:
      - name: super-org
        teams:
        - team-red
  staticClients:
  - id: dex-k8s-authenticator
    name: dex-k8s-authenticator
    secret: generatedLongRandomPhrase
    redirectURIs:
      - https://login.k8s.example.com/callback/
envSecrets:
  GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
  GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF

Uye ye dex-k8s-authenticator:

cat << EOF > values-auth.yml
global:
  deployEnv: prod
dexK8sAuthenticator:
  clusters:
  - name: k8s.example.com
    short_description: "k8s cluster"
    description: "Kubernetes cluster"
    issuer: https://dex.k8s.example.com/
    k8s_master_uri: https://api.k8s.example.com
    client_id: dex-k8s-authenticator
    client_secret: generatedLongRandomPhrase
    redirect_uri: https://login.k8s.example.com/callback/
    k8s_ca_pem: |
      -----BEGIN CERTIFICATE-----
      AAAAAAAAAAABBBBBBBBBBCCCCCC
      -----END CERTIFICATE-----
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
  path: /
  hosts:
    - login.k8s.example.com
  tls:
    - secretName: cert-auth-login
      hosts:
        - login.k8s.example.com
EOF

Isa Dex uye dex-k8s-authenticator:

helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticator

Ngatitarisei kushanda kwemasevhisi (Dex inofanirwa kudzorera kodhi 400, uye dex-k8s-authenticator inofanira kudzorera kodhi 200):

curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200

RBAC kugadzirisa

Isu tinogadzira ClusterRole yeboka, mune yedu ine kuverenga-chete kuwana:

cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-read-all
rules:
  -
    apiGroups:
      - ""
      - apps
      - autoscaling
      - batch
      - extensions
      - policy
      - rbac.authorization.k8s.io
      - storage.k8s.io
    resources:
      - componentstatuses
      - configmaps
      - cronjobs
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingress
      - ingresses
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - pods/log
      - pods/exec
      - persistentvolumes
      - persistentvolumeclaims
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
      - statefulsets
      - storageclasses
      - clusterroles
      - roles
    verbs:
      - get
      - watch
      - list
  - nonResourceURLs: ["*"]
    verbs:
      - get
      - watch
      - list
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
EOF

Ngatigadzire gadziriro yeClusterRoleBinding:

cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: dex-cluster-auth
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-read-all
subjects:
  kind: Group
  name: "super-org:team-red"
EOF

Iye zvino tagadzirira kuongororwa.

Miedzo

Enda kune peji rekupinda (https://login.k8s.example.com) uye pinda uchishandisa yako GitHub account:

Simbisa muKubernetes uchishandisa GitHub OAuth uye Dex
Login peji

Simbisa muKubernetes uchishandisa GitHub OAuth uye Dex
Peji rekupinda rakadzoserwa kuGitHub

Simbisa muKubernetes uchishandisa GitHub OAuth uye Dex
 Tevedza mirairo yakagadzirwa kuti uwane mukana

Mushure mekukopa-kuisa kubva pawebhu peji, tinogona kushandisa kubectl kubata zviwanikwa zvedu zveboka:

kubectl get po
NAME                READY   STATUS    RESTARTS   AGE
mypod               1/1     Running   0          3d

kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"

Uye inoshanda, vese vashandisi veGitHub musangano redu vanogona kuona zviwanikwa uye kupinda mumapods, asi ivo havana kodzero yekuzvishandura.

Source: www.habr.com

Voeg