ProHoster > Blog > Utongi > Isu tinosungirira mvumo yeLDAP kuKubernetes

Isu tinosungirira mvumo yeLDAP kuKubernetes

Isu tinosungirira mvumo yeLDAP kuKubernetes

Chidzidzo chipfupi pamusoro pemashandisiro aungaite Keycloak kubatanidza Kubernetes kune yako LDAP server uye kugadzirisa kupinza kwevashandisi nemapoka. Izvi zvinokutendera kuti ugadzirise RBAC yevashandisi vako uye shandisa auth-proxy kuchengetedza Kubernetes Dashboard uye mamwe maapplication asingakwanise kuzvisimbisa.

Keycloak Installation

Ngatifungei kuti watova neLDAP server. Izvi zvinogona kunge zviri Active Directory, FreeIPA, OpenLDAP kana chimwe chinhu. Kana iwe usina LDAP server, saka mumusimboti iwe unogona kugadzira vashandisi zvakananga mu Keycloak interface, kana kushandisa voruzhinji oidc vanopa (Google, Github, Gitlab), mhedzisiro ichave yakafanana.

Chekutanga, ngatiisei Keycloak pachayo.Iyo yekuisa inogona kuitwa yakaparadzana kana yakananga muKubernetes cluster.Semutemo, kana uine akati wandei Kubernetes masumbu, zvingava nyore kuiisa zvakasiyana. Kune rumwe rutivi, unogona kushandisa nguva dzose official helm chati woiisa zvakananga musumbu rako.

Kuti uchengetedze Keycloak data iwe uchada dhatabhesi. Default ndiyo h2 (ese data inochengetwa munharaunda), asi zvakare inogoneka kushandisa postgres, mysql kana mariadb.
Kana iwe uchiri kufunga kuisa Keycloak zvakasiyana, iwe unowana yakadzama mirairo mukati zvinyorwa zvepamutemo.

Federation setup

Chokutanga pane zvose, ngatigadzirei nzvimbo itsva. Realm ndiyo nzvimbo yekushandisa kwedu. Imwe neimwe application inogona kuve neyayo nzvimbo nevashandisi vakasiyana uye mvumo yekumisikidza. Iyo Master realm inoshandiswa naKeycloak pachayo uye hazvina kunaka kuishandisa kune chero chimwe chinhu.

Dinani pano Add realm

Pfungwa
ukoshi

zita
kubernetes

Ratidza zita
Kubernetes

HTML Ratidza Zita
<img src="https://kubernetes.io/images/nav_logo.svg" width="400" >

Kubernetes nekusarudzika inotarisa kuti email yemushandisi yakasimbiswa here kana kuti kwete. Sezvo isu tichishandisa yedu yedu LDAP sevha, cheki iyi inogara ichidzoka false. Ngatidzimai inomiririra sarudzo muKubernetes:

Client scopes -> enamel -> Mappers -> Email yakasimbiswa (Delete)

Zvino ngatimise mubatanidzwa; kuita izvi, enda ku:

Mushandisi mubatanidzwa -> Wedzera mutengesi... -> ldap

Heino muenzaniso wezvirongwa zveFreeIPA:

Pfungwa
ukoshi

Console Ratidza Zita
freeipa.example.org

Mutengesi
Red Hat Directory Server

UUID LDAP hunhu
ipauniqueid

Connection URL
ldaps://freeipa.example.org

Vashandisi DN
cn=users,cn=accounts,dc=example,dc=org

Sunga DN
uid=keycloak-svc,cn=users,cn=accounts,dc=example,dc=org

Bind Credential
<password>

Bvumira Kerberos kuvimbiswa:
on

Kerberos Realm:
EXAMPLE.ORG

Server Principal:
HTTP/[email protected]

KeyTab:
/etc/krb5.keytab

Mushandisi keycloak-svc inoda kugadzirwa pachine nguva pane yedu LDAP server.

Panyaya ye Active Directory, iwe unongoda kusarudza Mutengesi: Active Directory uye zvigadziriso zvinodiwa zvichaiswa mufomu otomatiki.

Dinani pano Save

Zvino ngatienderere mberi:

Mushandisi mubatanidzwa -> freeipa.example.org -> Mappers -> Zita rokutanga

Pfungwa
ukoshi

Ldap hunhu
givenName

Zvino ngatigonese kugadzira mepu yeboka:

Mushandisi mubatanidzwa -> freeipa.example.org -> Mappers -> sika

Pfungwa
ukoshi

zita
groups

Mapper type
group-ldap-mapper

LDAP Mapoka DN
cn=groups,cn=accounts,dc=example,dc=org

Mapoka Evashandisi Dzosera Strategy
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE

Ikozvino iyo iyo mubatanidzwa setup yapera, ngatienderere mberi nekumisikidza mutengi.

Client setup

Ngatigadzirei mutengi mutsva (chishandiso chinogashira vashandisi kubva kuKeycloak). Ngatienderere mberi:

Clients -> sika

Pfungwa
ukoshi

Mutengi ID
kubernetes

Rudzi rweKupinda
confidenrial

Midzi URL
http://kubernetes.example.org/

Inoshanda Redirect URIs
http://kubernetes.example.org/*

Admin URL
http://kubernetes.example.org/

Ngatigadzirewo nzvimbo yemapoka:

Client Scopes -> sika

Pfungwa
ukoshi

Template
No template

zita
groups

Nzira yeboka yakazara
false

Uye uvagadzirire mepu:

Client Scopes -> mapoka -> Mappers -> sika

Pfungwa
ukoshi

zita
groups

Mapper Type
Group membership

Zita Rokukumbira Chiratidzo
groups

Ikozvino tinoda kugonesa boka remepu muchikamu chedu chevatengi:

Clients -> kubernetes -> Client Scopes -> Default Client Scopes

Sarudza mapoka Π² Inowanikwa Client Scopes, Press Wedzera zvakasarudzwa

Zvino ngatigadzirisei huchokwadi hwekushandisa kwedu, enda ku:

Clients -> kubernetes

Pfungwa
ukoshi

Mvumo Inogoneswa
ON

Ngatidzvanye save uye neizvi kugadzika kwemutengi kwapera, ikozvino pane tab

Clients -> kubernetes -> Credentials

unogona kuwana Secret izvo zvatichashandisa mberi.

Kugadzirisa Kubernetes

Kumisikidza Kubernetes yemvumo yeOIDC idiki chaizvo uye haina kuomesesa. Zvese zvaunoda kuti uite kuisa chitupa cheCA cheOIDC server yako mukati /etc/kubernetes/pki/oidc-ca.pem uye wedzera sarudzo dzinodiwa dze kube-apiserver.
Kuti aite izvi, update /etc/kubernetes/manifests/kube-apiserver.yaml pamusoro pavatenzi vako vose.

...
spec:
  containers:
  - command:
    - kube-apiserver
...
    - --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.pem
    - --oidc-client-id=kubernetes
    - --oidc-groups-claim=groups
    - --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
    - --oidc-username-claim=email
...

Zvakare, gadziridza iyo kubeadm config musumbu kuitira kuti usarasikirwe neizvi zvigadziriso paunenge uchivandudza:

kubectl edit -n kube-system configmaps kubeadm-config

...
data:
  ClusterConfiguration: |
    apiServer:
      extraArgs:
        oidc-ca-file: /etc/kubernetes/pki/oidc-ca.pem
        oidc-client-id: kubernetes
        oidc-groups-claim: groups
        oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
        oidc-username-claim: email
...

Izvi zvinopedzisa Kubernetes kumisikidzwa. Iwe unogona kudzokorora nhanho idzi pane ako ese Kubernetes masumbu.

Mvumo yekutanga

Mushure mematanho aya, unenge watova neKubernetes cluster ine yakagadziriswa OIDC mvumo. Chinhu chega ndechekuti vashandisi vako havasati vane mutengi akagadziriswa kana yavo kubeconfig. Kuti ugadzirise dambudziko iri, unofanirwa kugadzirisa otomatiki kugovera kwekubeconfig kune vashandisi mushure mekubudirira kwemvumo.

Kuti uite izvi, unogona kushandisa akakosha ewebhu maapplication ayo anotendera iwe kuti utende mushandisi uye wobva warodha yakagadzirira-yakagadzirwa kubeconfig. Imwe yeakanyanya nyore ndeye Kuberos, inobvumidza iwe kutsanangura ese Kubernetes masumbu mune imwe config uye nyore chinja pakati pawo.

Kugadzirisa Kuberos, ingo tsanangura iyo template ye kubeconfig uye imhanye neinotevera paramita:

kuberos https://keycloak.example.org/auth/realms/kubernetes kubernetes /cfg/secret /cfg/template

Kuti uwane rumwe ruzivo ona Usage paGithub.

Zvinogonekawo kushandisa kubelogin kana iwe uchida kubvumidza zvakananga pakombiyuta yemushandisi. Muchiitiko ichi, mushandisi anovhura bhurawuza ine fomu remvumo pane localhost.

Iyo inoguma kubeconfig inogona kutariswa pane webhusaiti jwt.io. Ingokopa kukosha users[].user.auth-provider.config.id-token kubva kubeconfig yako kune fomu riri pawebhusaiti uye nekukasira gamuchira chinyorwa.

Kugadzira RBAC

Paunenge uchigadzirisa RBAC, unogona kutarisa kune ese ari maviri zita rekushandisa (munda name mujwt token), uye neboka revashandisi (munda groups mujwt chiratidzo). Heino muenzaniso wekugadzirisa kodzero dzeboka kubernetes-default-namespace-admins:

kubernetes-default-namespace-admins.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: default-admins
  namespace: default
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-default-namespace-admins
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: default-admins
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: kubernetes-default-namespace-admins

Mimwe mienzaniso yeRBAC inogona kuwanikwa mukati official Kubernetes zvinyorwa

Kuseta auth-proxy

Pane chirongwa chinoshamisa keycloak-gedhi, iyo inokutendera iwe kuchengetedza chero application nekupa mushandisi kugona kutendesa kune OIDC server. Ini ndichakuratidza maitiro ekuzvigadzirisa uchishandisa Kubernetes Dashboard semuenzaniso:

dashboard-proxy.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: kubernetes-dashboard-proxy
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: kubernetes-dashboard-proxy
    spec:
      containers:
      - args:
        - --listen=0.0.0.0:80
        - --discovery-url=https://keycloak.example.org/auth/realms/kubernetes
        - --client-id=kubernetes
        - --client-secret=<your-client-secret-here>
        - --redirection-url=https://kubernetes-dashboard.example.org
        - --enable-refresh-tokens=true
        - --encryption-key=ooTh6Chei1eefooyovai5ohwienuquoh
        - --upstream-url=https://kubernetes-dashboard.kube-system
        - --resources=uri=/*
        image: keycloak/keycloak-gatekeeper
        name: kubernetes-dashboard-proxy
        ports:
        - containerPort: 80
          livenessProbe:
            httpGet:
              path: /oauth/health
              port: 80
            initialDelaySeconds: 3
            timeoutSeconds: 2
          readinessProbe:
            httpGet:
              path: /oauth/health
              port: 80
            initialDelaySeconds: 3
            timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
  name: kubernetes-dashboard-proxy
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: kubernetes-dashboard-proxy
  type: ClusterIP

Source: www.habr.com

Voeg