Ke fana ka tlhokomelo ea hau thuto ea ho hlahisa phihlello ho sehlopha sa Kubernetes ho sebelisa Dex, dex-k8s-authenticator le GitHub.
Meme ea lehae e tsoang ho Kubernetes ea puo ea Serussia
Selelekela
Re sebelisa Kubernetes ho theha tikoloho e matla bakeng sa nts'etsopele le sehlopha sa QA. Kahoo re batla ho ba fa monyetla oa ho kena sehlopheng sa dashboard le kubectl. Ho fapana le OpenShift, vanilla Kubernetes ha e na netefatso ea lehae, ka hona re sebelisa lisebelisoa tsa mokha oa boraro bakeng sa sena.
Sebakeng sena re sebelisa:
- - ts'ebeliso ea webo bakeng sa ho hlahisa kubectl config
- — Mofani oa OpenID Connect
- GitHub - hobane feela re sebelisa GitHub k'hamphaning ea rona
Re lekile ho sebelisa Google OIDC, empa ka bomalimabe re ho li qala ka lihlopha, kahoo ho kopanngoa le GitHub ho ne ho re tšoanela hantle. Ntle le 'mapa oa lihlopha, ho ke ke ha khoneha ho theha maano a RBAC ho latela lihlopha.
Joale, ts'ebetso ea rona ea tumello ea Kubernetes e sebetsa joang ka boemeli ba pono:
Ts'ebetso ea tumello
Lintlha tse ling le ntlha ka ntlha:
- Mosebelisi o kena ho dex-k8s-authenticator (
login.k8s.example.com) - dex-k8s-authenticator e fetisetsa kopo ho Dex (
dex.k8s.example.com) - Dex e lebisa leqepheng la ho kena la GitHub
- GitHub e hlahisa tlhahisoleseling e hlokahalang ea tumello mme e e khutlisetsa ho Dex
- Dex e fetisetsa tlhahisoleseling ho dex-k8s-authenticator
- Mosebelisi o fumana letšoao la OIDC ho tsoa ho GitHub
- dex-k8s-authenticator e eketsa letšoao ho kubeconfig
- kubectl e fetisetsa letšoao ho KubeAPIServer
- KubeAPIServer e khutlisetsa phihlello ho kubectl ho ipapisitsoe le tokeneng e fetileng
- Mosebelisi o fumana phihlello ho tsoa ho kubectl
Mesebetsi ea boitokisetso
Ehlile, re se re ntse re e-na le sehlopha sa Kubernetes se kentsoeng (k8s.example.com), hape e tla le HELM e kentsoeng pele. Re boetse re na le mokhatlo ho GitHub (super-org).
Haeba u sena HELM, e kenye .
Pele re hloka ho theha GitHub.
Eya leqepheng la litlhophiso tsa mokhatlo, (https://github.com/organizations/super-org/settings/applications) 'me u thehe sesebelisoa se secha (App Authorized OAuth):
Ho theha sesebelisoa se secha ho GitHub
Tlatsa masimo ka li-URL tse hlokahalang, mohlala:
- URL ea leqephe la lehae:
https://dex.k8s.example.com - URL ea tumello ea ho letsetsa:
https://dex.k8s.example.com/callback
E-ba hlokolosi ka li-link, ke habohlokoa hore u se ke ua lahleheloa ke li-slashes.
Ho arabela foromo e tlatsitsoeng, GitHub e tla hlahisa Client ID и Client secret, li boloke sebakeng se sireletsehileng, li tla ba molemo ho rona (mohlala, re li sebelisa bakeng sa ho boloka liphiri):
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
Lokisetsa lirekoto tsa DNS bakeng sa li-subdomain login.k8s.example.com и dex.k8s.example.com, hammoho le litifikeiti tsa SSL bakeng sa ho kena.
Ha re theheng litifikeiti tsa SSL:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
ClusterIssuer e nang le sehlooho le-clusterissuer e tlameha ebe e se e ntse e le teng, empa haeba ho se joalo, e bōpe u sebelisa HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOFPhetoho ea KubeAPIServer
Hore kubeAPIServer e sebetse, o hloka ho lokisa OIDC le ho ntlafatsa sehlopha:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yesRea sebelisa bakeng sa ho tsamaisa lihlopha, empa sena se sebetsa ka mokhoa o ts'oanang bakeng sa .
Dex configuration le dex-k8s-authenticator
Hore Dex a sebetse, o hloka ho ba le setifikeiti le senotlolo ho tsoa ho Kubernetes master, ha re e fumane ho tloha moo:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----Ha re kenye sebaka sa polokelo ea dex-k8s-authenticator:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/Re sebelisa lifaele tsa boleng, re ka khona ho hlophisa mefuta e fapaneng bakeng sa rona .
Ha re hlalose tlhophiso ea Dex:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
Le bakeng sa dex-k8s-authenticator:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOFKenya Dex le dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticatorHa re hlahlobeng ts'ebetso ea lits'ebeletso (Dex e lokela ho khutlisa khoutu 400, 'me dex-k8s-authenticator e lokela ho khutlisa khoutu ea 200):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200Tlhophiso ea RBAC
Re theha ClusterRole bakeng sa sehlopha, molemong oa rona ka phihlello ea ho bala feela:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOFHa re theheng tlhophiso bakeng sa ClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOFJoale re se re loketse tlhahlobo.
Liteko
Eya leqepheng la ho kena (https://login.k8s.example.com) 'me u kenelle u sebelisa ak'haonte ea hau ea GitHub:
Leqephe la ho kena
Leqephe la ho kena le fetiselitsoe ho GitHub
Latela litaelo tse hlahisitsoeng ho fumana phihlello
Kamora ho kopitsa ho tsoa leqepheng la sebaka sa marang-rang, re ka sebelisa kubectl ho laola lisebelisoa tsa rona tsa sehlopha:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
'Me e ea sebetsa, basebelisi bohle ba GitHub mokhatlong oa rona ba ka bona lisebelisoa le ho kena ka har'a li-pods, empa ha ba na litokelo tsa ho li fetola.
Source: www.habr.com