Waxaan u soo bandhigay dareenkaaga casharro ku saabsan abuuritaanka gelitaanka kooxda Kubernetes iyadoo la adeegsanayo Dex, dex-k8s-authenticator iyo GitHub.
Xusuus-qor maxalli ah oo ka socda luqadda Ruushka Kubernetes ayaa ku sheekaysanaysa
Horudhac
Waxaan u isticmaalnaa Kubernetes si aan u abuurno jawi firfircoon horumarinta iyo kooxda QA. Markaa waxaan rabnaa inaan siino inay galaangal u yeeshaan kooxda labada dashboard iyo kubectl. Si ka duwan OpenShift, vanilj Kubernetes ma laha aqoonsi dhalad, marka waxaan tan u isticmaalnaa qalab dhinac saddexaad ah.
Qaabayntan waxaanu isticmaalnaa:
- - Codsiga shabakadda ee abuurista kubectl config
- - Bixiyaha ku xidhka ID Open
- GitHub - sababtoo ah waxaan u isticmaalnaa GitHub shirkadeena
Waxaan isku daynay inaan isticmaalno Google OIDC, laakiin nasiib darro annaga si aan ugu bilowno kooxo, sidaas darteed la-qabsiga GitHub ayaa si fiican noogu habboonaa. Haddii aan la samayn khariidad kooxeed, suurtogal ma noqon doonto in la abuuro siyaasadaha RBAC ee ku salaysan kooxaha.
Marka, sidee buu nidaamka oggolaanshaha Kubernetes u shaqeeyaa muuqaal muuqaal ah:
Habka oggolaanshaha
Faahfaahin yar oo dheeraad ah iyo qodob qodob:
- Isticmaaluhu waxa uu galaa dex-k8s-authenticator (
login.k8s.example.com) - dex-k8s-authenticator ayaa codsiga u sii gudbiya Dex (
dex.k8s.example.com) - Dex waxay u jihaysaa bogga galitaanka GitHub
- GitHub waxay soo saartaa macluumaadka oggolaanshaha lagama maarmaanka ah waxayna ku celisaa Dex
- Dex wuxuu u gudbiyaa macluumaadka la helay dex-k8s-authenticator
- Isticmaaluhu wuxuu ka helayaa OIDC token GitHub
- dex-k8s-authenticator wuxuu ku darayaa calaamada kubeconfig
- kubectl waxay u gudbisaa calaamada KubeAPIServer
- KubeAPIServer waxay soo celisaa gelitaanka kubectl iyadoo ku saleysan calaamada la gudbiyay
- Isticmaaluhu wuxuu ka heli karaa kubectl
Falalka diyaargarowga
Dabcan, waxaan horey u haysanay kooxda Kubernetes oo la rakibay (k8s.example.com), oo waliba la socota HELM horay loo rakibay. Waxaan sidoo kale hay'ad ku leenahay GitHub (super-org).
Haddii aadan haysan HELM, ku rakib .
Marka hore waxaan u baahanahay inaan dejino GitHub.
Tag bogga habaynta ururka, (https://github.com/organizations/super-org/settings/applications) oo samee arji cusub (App OAuth La Oggolaaday):
Abuuritaanka codsi cusub GitHub
Ku buuxi meelaha URL-yada lagama maarmaanka ah, tusaale ahaan:
- URL bogga hore:
https://dex.k8s.example.com - Oggolaanshaha soo celinta URL:
https://dex.k8s.example.com/callback
Ka taxaddar xiriiriyeyaasha, waa muhiim inaadan lumin jajabinta.
Iyada oo laga jawaabayo foomka la buuxiyay, GitHub ayaa soo saari doona Client ID ΠΈ Client secret, ku hayso meel nabdoon, way anfacayaan (tusaale ahaan, waanu isticmaalnaa kaydinta siraha):
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
U diyaari diiwaanada DNS ee subdomains login.k8s.example.com ΠΈ dex.k8s.example.com, iyo sidoo kale shahaadooyinka SSL ee gelitaanka.
Aan abuurno shahaadooyin SSL:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
Kooxda Bixiyaha oo leh cinwaan le-clusterissuer waa in uu hore u jiray, laakiin haddii aysan jirin, u samee adiga oo isticmaalaya HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOFQaabeynta KubeAPIServer
Si ay kubeAPIServer u shaqeyso, waxaad u baahan tahay inaad habayso OIDC oo aad cusboonaysiiso kutlada:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yesWaxaan isticmaalnaa si loo geeyo kooxaha, laakiin tani waxay u shaqaysaa si la mid ah .
Qaabeynta Dex iyo dex-k8s-authenticator
Si uu Dex u shaqeeyo, waxaad u baahan tahay inaad ka haysato shahaado iyo fure ka socda Master-ka Kubernetes, aynu halkaa ka helno:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----Aynu xidhno kaydka dex-k8s-authenticator:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/Isticmaalka faylalka qiyamka, waxaan si dabacsanaan ah u habeyn karnaa doorsoomayaashayada .
Aynu sharaxno qaabaynta Dex:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
Iyo dex-k8s-uthenticator:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOFKu rakib Dex iyo dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticatorAynu hubino shaqada adeegyada (Dex waa inuu soo celiyaa koodka 400, iyo dex-k8s-authenticator waa inuu soo celiyaa koodka 200):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200qaabeynta RBAC
Waxaan kooxda u abuurnay ClusterRole, xaaladeena oo leh akhris-kaliya:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOFAan u abuurno qaabaynta ClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOFHadda waxaan diyaar u nahay imtixaan.
Baaritaanno
Tag bogga galitaanka (https://login.k8s.example.com) oo gal adiga oo isticmaalaya akoonkaaga GitHub:
Bogga galitaanka
Bogga galitaanka waxaa loo wareejiyay GitHub
Raac tilmaamaha la soo saaray si aad u gasho
Ka dib koobi ka-soo-saarka bogga shabakadda, waxaan u isticmaali karnaa kubectl si aan u maamulno agabka kooxdayada:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
Wayna shaqeysaa, dhammaan isticmaalayaasha GitHub ee ururkeena way arki karaan agabka oo geli karaan boodhadhka, laakiin ma laha xuquuq ay ku beddelaan.
Source: www.habr.com