Ini ndinopa kune kutarisisa kwako dzidziso yekugadzira kupinda kune Kubernetes cluster uchishandisa Dex, dex-k8s-authenticator uye GitHub.
Local meme kubva kuRussia-mutauro Kubernetes chat in
Nhanganyaya
Isu tinoshandisa Kubernetes kugadzira nharaunda dzakasimba dzekusimudzira uye QA timu. Saka isu tinoda kuvapa mukana kune cluster yezvose zviri zviviri dashboard uye kubectl. Kusiyana neOpenShift, vanilla Kubernetes haina chokwadi chekuzvarwa, saka isu tinoshandisa yechitatu-bato maturusi eizvi.
Muchigadziro ichi tinoshandisa:
dex-k8s-authenticatorβ -web application yekugadzira kubectl configDex - OpenID Batanidza mupi- GitHub - kungoti isu tinoshandisa GitHub mukambani yedu
Takaedza kushandisa Google OIDC, asi zvinosuwisa isu
Saka, yedu Kubernetes mvumo process inoshanda sei mune inomiririra inomiririra:
Mvumo nzira
Rumwe ruzivo rwakawedzera uye point by point:
- Mushandisi anopinda mu dex-k8s-authenticator (
login.k8s.example.com
) - dex-k8s-authenticator inoendesa mberi chikumbiro kuna Dex (
dex.k8s.example.com
) - Dex inodzosera kune iyo GitHub login peji
- GitHub inogadzira ruzivo rwakakosha rwemvumo uye inodzosera kuDex
- Dex inopfuudza ruzivo rwakagamuchirwa kune dex-k8s-authenticator
- Mushandisi anogamuchira chiratidzo cheOIDC kubva kuGitHub
- dex-k8s-authenticator inowedzera chiratidzo kune kubeconfig
- kubectl inopfuudza chiratidzo kuKubeAPIServer
- KubeAPIServer inodzorera masvikiro ku kubectl zvichibva pane yakapfuura tokeni
- Mushandisi anowana mukana kubva kubectl
Zviito zvekugadzirira
Ehe, isu tatova neKubernetes cluster yakaiswa (k8s.example.com
), uye inouyawo neHELM pre-yakaiswa. Isu tinewo sangano paGitHub (super-org).
Kana usina HELM, isa
Kutanga isu tinofanirwa kuseta GitHub.
Enda kune peji rezvirongwa zvesangano, (https://github.com/organizations/super-org/settings/applications
) uye gadzira chishandiso chitsva (Yakatenderwa OAuth App):
Kugadzira chishandiso chitsva paGitHub
Zadza minda nema URL anodiwa, semuenzaniso:
- URL yekumba:
https://dex.k8s.example.com
- Mvumo yekufona back URL:
https://dex.k8s.example.com/callback
Chenjerera nezvisungo, zvakakosha kuti urege kurasikirwa nemarashi.
Mukupindura fomu rakapedzwa, GitHub ichagadzira Client ID
ΠΈ Client secret
, zvichengete munzvimbo yakachengeteka, zvichatibatsira (somuenzaniso, tinoshandisa
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
Gadzirira DNS zvinyorwa zvema subdomain login.k8s.example.com
ΠΈ dex.k8s.example.com
, pamwe neSSL zvitupa zvekupinda.
Ngatigadzire zvitupa zveSSL:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
ClusterIssuer ine zita le-clusterissuer
inofanira kutovapo, asi kana zvisiri, igadzire uchishandisa HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOF
KubeAPIServer kumisikidza
Kuti kubeAPIServer ishande, unofanirwa kugadzirisa OIDC uye kugadzirisa sumbu:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yes
Tinoshandisa
Dex gadziriso uye dex-k8s-authenticator
Kuti Dex ashande, iwe unofanirwa kuve uine chitupa uye kiyi kubva kuna Kubernetes tenzi, ngatitore kubva ipapo:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
Ngatitorei dex-k8s-authenticator repository:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/
Tichishandisa mafaera akakosha, isu tinokwanisa kuchinjika kumisikidza akasiyana edu
Ngatitsanangure kumisikidzwa kweDex:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
Uye ye dex-k8s-authenticator:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOF
Isa Dex uye dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticator
Ngatitarisei kushanda kwemasevhisi (Dex inofanirwa kudzorera kodhi 400, uye dex-k8s-authenticator inofanira kudzorera kodhi 200):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200
RBAC kugadzirisa
Isu tinogadzira ClusterRole yeboka, mune yedu ine kuverenga-chete kuwana:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOF
Ngatigadzire gadziriro yeClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOF
Iye zvino tagadzirira kuongororwa.
Miedzo
Enda kune peji rekupinda (https://login.k8s.example.com
) uye pinda uchishandisa yako GitHub account:
Login peji
Peji rekupinda rakadzoserwa kuGitHub
Tevedza mirairo yakagadzirwa kuti uwane mukana
Mushure mekukopa-kuisa kubva pawebhu peji, tinogona kushandisa kubectl kubata zviwanikwa zvedu zveboka:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
Uye inoshanda, vese vashandisi veGitHub musangano redu vanogona kuona zviwanikwa uye kupinda mumapods, asi ivo havana kodzero yekuzvishandura.
Source: www.habr.com