Chidzidzo chipfupi pamusoro pemashandisiro aungaite Keycloak kubatanidza Kubernetes kune yako LDAP server uye kugadzirisa kupinza kwevashandisi nemapoka. Izvi zvinokutendera kuti ugadzirise RBAC yevashandisi vako uye shandisa auth-proxy kuchengetedza Kubernetes Dashboard uye mamwe maapplication asingakwanise kuzvisimbisa.
Keycloak Installation
Ngatifungei kuti watova neLDAP server. Izvi zvinogona kunge zviri Active Directory, FreeIPA, OpenLDAP kana chimwe chinhu. Kana iwe usina LDAP server, saka mumusimboti iwe unogona kugadzira vashandisi zvakananga mu Keycloak interface, kana kushandisa voruzhinji oidc vanopa (Google, Github, Gitlab), mhedzisiro ichave yakafanana.
Chekutanga, ngatiisei Keycloak pachayo.Iyo yekuisa inogona kuitwa yakaparadzana kana yakananga muKubernetes cluster.Semutemo, kana uine akati wandei Kubernetes masumbu, zvingava nyore kuiisa zvakasiyana. Kune rumwe rutivi, unogona kushandisa nguva dzose
Kuti uchengetedze Keycloak data iwe uchada dhatabhesi. Default ndiyo h2
(ese data inochengetwa munharaunda), asi zvakare inogoneka kushandisa postgres
, mysql
kana mariadb
.
Kana iwe uchiri kufunga kuisa Keycloak zvakasiyana, iwe unowana yakadzama mirairo mukati
Federation setup
Chokutanga pane zvose, ngatigadzirei nzvimbo itsva. Realm ndiyo nzvimbo yekushandisa kwedu. Imwe neimwe application inogona kuve neyayo nzvimbo nevashandisi vakasiyana uye mvumo yekumisikidza. Iyo Master realm inoshandiswa naKeycloak pachayo uye hazvina kunaka kuishandisa kune chero chimwe chinhu.
Dinani pano Add realm
Pfungwa
ukoshi
zita
kubernetes
Ratidza zita
Kubernetes
HTML Ratidza Zita
<img src="https://kubernetes.io/images/nav_logo.svg" width="400" >
Kubernetes nekusarudzika inotarisa kuti email yemushandisi yakasimbiswa here kana kuti kwete. Sezvo isu tichishandisa yedu yedu LDAP sevha, cheki iyi inogara ichidzoka false
. Ngatidzimai inomiririra sarudzo muKubernetes:
Client scopes -> enamel -> Mappers -> Email yakasimbiswa (Delete)
Zvino ngatimise mubatanidzwa; kuita izvi, enda ku:
Mushandisi mubatanidzwa -> Wedzera mutengesi... -> ldap
Heino muenzaniso wezvirongwa zveFreeIPA:
Pfungwa
ukoshi
Console Ratidza Zita
freeipa.example.org
Mutengesi
Red Hat Directory Server
UUID LDAP hunhu
ipauniqueid
Connection URL
ldaps://freeipa.example.org
Vashandisi DN
cn=users,cn=accounts,dc=example,dc=org
Sunga DN
uid=keycloak-svc,cn=users,cn=accounts,dc=example,dc=org
Bind Credential
<password>
Bvumira Kerberos kuvimbiswa:
on
Kerberos Realm:
EXAMPLE.ORG
Server Principal:
HTTP/[email protected]
KeyTab:
/etc/krb5.keytab
Mushandisi keycloak-svc
inoda kugadzirwa pachine nguva pane yedu LDAP server.
Panyaya ye Active Directory, iwe unongoda kusarudza Mutengesi: Active Directory uye zvigadziriso zvinodiwa zvichaiswa mufomu otomatiki.
Dinani pano Save
Zvino ngatienderere mberi:
Mushandisi mubatanidzwa -> freeipa.example.org -> Mappers -> Zita rokutanga
Pfungwa
ukoshi
Ldap hunhu
givenName
Zvino ngatigonese kugadzira mepu yeboka:
Mushandisi mubatanidzwa -> freeipa.example.org -> Mappers -> sika
Pfungwa
ukoshi
zita
groups
Mapper type
group-ldap-mapper
LDAP Mapoka DN
cn=groups,cn=accounts,dc=example,dc=org
Mapoka Evashandisi Dzosera Strategy
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
Ikozvino iyo iyo mubatanidzwa setup yapera, ngatienderere mberi nekumisikidza mutengi.
Client setup
Ngatigadzirei mutengi mutsva (chishandiso chinogashira vashandisi kubva kuKeycloak). Ngatienderere mberi:
Clients -> sika
Pfungwa
ukoshi
Mutengi ID
kubernetes
Rudzi rweKupinda
confidenrial
Midzi URL
http://kubernetes.example.org/
Inoshanda Redirect URIs
http://kubernetes.example.org/*
Admin URL
http://kubernetes.example.org/
Ngatigadzirewo nzvimbo yemapoka:
Client Scopes -> sika
Pfungwa
ukoshi
Template
No template
zita
groups
Nzira yeboka yakazara
false
Uye uvagadzirire mepu:
Client Scopes -> mapoka -> Mappers -> sika
Pfungwa
ukoshi
zita
groups
Mapper Type
Group membership
Zita Rokukumbira Chiratidzo
groups
Ikozvino tinoda kugonesa boka remepu muchikamu chedu chevatengi:
Clients -> kubernetes -> Client Scopes -> Default Client Scopes
Sarudza mapoka Π² Inowanikwa Client Scopes, Press Wedzera zvakasarudzwa
Zvino ngatigadzirisei huchokwadi hwekushandisa kwedu, enda ku:
Clients -> kubernetes
Pfungwa
ukoshi
Mvumo Inogoneswa
ON
Ngatidzvanye save uye neizvi kugadzika kwemutengi kwapera, ikozvino pane tab
Clients -> kubernetes -> Credentials
unogona kuwana Secret izvo zvatichashandisa mberi.
Kugadzirisa Kubernetes
Kumisikidza Kubernetes yemvumo yeOIDC idiki chaizvo uye haina kuomesesa. Zvese zvaunoda kuti uite kuisa chitupa cheCA cheOIDC server yako mukati /etc/kubernetes/pki/oidc-ca.pem
uye wedzera sarudzo dzinodiwa dze kube-apiserver.
Kuti aite izvi, update /etc/kubernetes/manifests/kube-apiserver.yaml
pamusoro pavatenzi vako vose.
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.pem
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Zvakare, gadziridza iyo kubeadm config musumbu kuitira kuti usarasikirwe neizvi zvigadziriso paunenge uchivandudza:
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /etc/kubernetes/pki/oidc-ca.pem
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Izvi zvinopedzisa Kubernetes kumisikidzwa. Iwe unogona kudzokorora nhanho idzi pane ako ese Kubernetes masumbu.
Mvumo yekutanga
Mushure mematanho aya, unenge watova neKubernetes cluster ine yakagadziriswa OIDC mvumo. Chinhu chega ndechekuti vashandisi vako havasati vane mutengi akagadziriswa kana yavo kubeconfig. Kuti ugadzirise dambudziko iri, unofanirwa kugadzirisa otomatiki kugovera kwekubeconfig kune vashandisi mushure mekubudirira kwemvumo.
Kuti uite izvi, unogona kushandisa akakosha ewebhu maapplication ayo anotendera iwe kuti utende mushandisi uye wobva warodha yakagadzirira-yakagadzirwa kubeconfig. Imwe yeakanyanya nyore ndeye
Kugadzirisa Kuberos, ingo tsanangura iyo template ye kubeconfig uye imhanye neinotevera paramita:
kuberos https://keycloak.example.org/auth/realms/kubernetes kubernetes /cfg/secret /cfg/template
Kuti uwane rumwe ruzivo ona
Zvinogonekawo kushandisa
Iyo inoguma kubeconfig inogona kutariswa pane webhusaiti users[].user.auth-provider.config.id-token
kubva kubeconfig yako kune fomu riri pawebhusaiti uye nekukasira gamuchira chinyorwa.
Kugadzira RBAC
Paunenge uchigadzirisa RBAC, unogona kutarisa kune ese ari maviri zita rekushandisa (munda name
mujwt token), uye neboka revashandisi (munda groups
mujwt chiratidzo). Heino muenzaniso wekugadzirisa kodzero dzeboka kubernetes-default-namespace-admins
:
kubernetes-default-namespace-admins.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-admins
namespace: default
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-default-namespace-admins
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-admins
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: kubernetes-default-namespace-admins
Mimwe mienzaniso yeRBAC inogona kuwanikwa mukati
Kuseta auth-proxy
Pane chirongwa chinoshamisa
dashboard-proxy.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard-proxy
spec:
replicas: 1
template:
metadata:
labels:
app: kubernetes-dashboard-proxy
spec:
containers:
- args:
- --listen=0.0.0.0:80
- --discovery-url=https://keycloak.example.org/auth/realms/kubernetes
- --client-id=kubernetes
- --client-secret=<your-client-secret-here>
- --redirection-url=https://kubernetes-dashboard.example.org
- --enable-refresh-tokens=true
- --encryption-key=ooTh6Chei1eefooyovai5ohwienuquoh
- --upstream-url=https://kubernetes-dashboard.kube-system
- --resources=uri=/*
image: keycloak/keycloak-gatekeeper
name: kubernetes-dashboard-proxy
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
readinessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-proxy
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: kubernetes-dashboard-proxy
type: ClusterIP
Source: www.habr.com