Sengoliloeng sena se ngoletsoe ho atolosa se seng se ntse se le teng
Sehloohong sena ke tla u bolella mokhoa oa ho kenya le ho lokisa:
- kobo ea senotlolo ke morero oa mohloli o bulehileng. E fanang ka ntlha e le 'ngoe ea ho kena bakeng sa likopo. E sebetsa ka liprothokholo tse ngata, ho kenyeletsoa LDAP le OpenID tseo re li ratang.
- molebeli oa heke oa senotlolo - ts'ebeliso ea projeke ea morao e u lumellang ho kopanya tumello ka Keycloak.
- gangway - sesebelisoa se hlahisang config bakeng sa kubectl eo u ka kenang ka eona le ho hokela Kubernetes API ka OpenID.
Litumello li sebetsa joang Kubernetes.
Re ka khona ho laola litokelo tsa basebelisi / sehlopha re sebelisa RBAC, ho se ho entsoe lingoliloeng tse ngata mabapi le sena, nke ke ka lula ho sena ka botlalo. Bothata ke hore o ka sebelisa RBAC ho thibela litokelo tsa basebelisi, empa Kubernetes ha a tsebe letho ka basebelisi. Hoa fumaneha hore re hloka mokhoa oa ho tsamaisa basebelisi ho Kubernetes. Ho etsa sena, re tla eketsa mofani oa Kuberntes OpenID, e tla re mosebelisi ea joalo o teng, mme Kubernetes ka boeena o tla mo fa litokelo.
Ho lokisetsa
- U tla hloka sehlopha sa Kubernetes kapa minikube
- Active Directory
- Libaka:
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org - Setifikeiti sa libaka kapa setifikeiti se ingoletseng
Ha ke na ho bua ka mokhoa oa ho theha setifikeiti sa ho ingolisa, o hloka ho etsa litifikeiti tse 2, ona ke motso (Certificate Authority) le moreki oa wildcard bakeng sa *.example.org domain
Kamora ho amohela / ho fana ka setifikeiti, moreki o tlameha ho eketsoa ho Kubernetes, hobane sena re se etsetsa lekunutu:
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pem
Ka mor'a moo, re tla e sebelisa bakeng sa molaoli oa rona oa Ingress.
Ho kenya Keycloak
Ke ile ka etsa qeto ea hore tsela e bonolo ka ho fetisisa ke ho sebelisa litharollo tse lokiselitsoeng bakeng sa sena, e leng lichate tsa helm.
Kenya polokelo 'me u e ntlafatse:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update
Theha faele ea keycloak.yml e nang le litaba tse latelang:
keycloak.yml
keycloak:
# Имя администратора
username: "test_admin"
# Пароль администратор
password: "admin"
# Эти флаги нужны что бы позволить загружать в Keycloak скрипты прямо через web морду. Это нам
понадобиться что бы починить один баг, о котором ниже.
extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
# Включаем ingress, указываем имя хоста и сертификат который мы предварительно сохранили в secrets
ingress:
enabled: true
path: /
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.example.org
tls:
- hosts:
- keycloak.example.org
secretName: tls-keycloak
# Keycloak для своей работы требует базу данных, в тестовых целях я разворачиваю Postgresql прямо в Kuberntes, в продакшене так лучше не делать!
persistence:
deployPostgres: true
dbVendor: postgres
postgresql:
postgresUser: keycloak
postgresPassword: ""
postgresDatabase: keycloak
persistence:
enabled: true
Ho hlophisoa ha Federation
Ka mor'a moo, ea ho web interface
Tobetsa hukung e leqeleng Kenya sebaka
Key
latela boleng ba
lebitso
hobernetes
Lebitso le hlahang
Kubernetes
Thibela netefatso ea lengolo-tsoibila la basebelisi:
Likarolo tsa bareki —> Imeile —> Limmapa —> Imeile e netefalitsoe (Phumula)
Re theha mokhatlo oa ho kenya basebelisi ho tsoa ho ActiveDirectory, ke tla siea li-screenshots ka tlase, ke nahana hore e tla hlaka haholoanyane.
Mokhatlo oa basebelisi —> Eketsa mofani… —> ldap
Ho hlophisoa ha Federation
Haeba tsohle li lokile, ka mor'a ho tobetsa konopo Amahanya basebelisi bohle u tla bona molaetsa mabapi le thomello e atlehileng ea basebelisi.
Ka mor'a moo re hloka ho etsa 'mapa oa lihlopha tsa rona
Mokhatlo oa basebelisi -> ldap_localhost --> Limmapa --> Theha
Ho theha 'mapa
Tlhophiso ea bareki
Hoa hlokahala ho theha moreki, ho latela Keycloak, ena ke kopo e tla lumelloa ho tsoa ho eena. Ke tla totobatsa lintlha tsa bohlokoa skrineng ka bofubelu.
Bareki —> Theha
Tlhophiso ea bareki
Ha re theheng scoupe bakeng sa lihlopha:
Likarolo tsa Client —> Theha
Etsa sebaka
'Me u ba etsetse 'mapa:
Likarolo tsa Client —> lihlopha —> Limmapa —> Theha
'Mapa
Kenya 'mapa oa lihlopha tsa rona ho Mekhahlelo e Ikemetseng ea Bareki:
Bareki -> kubernetes -> Melemo ea bareki -> Mehato ea kamehla ea bareki
Khetha lihlopha в Likarolo tse fumanehang tsa Client, tobetsa Kenya e khethiloeng
Re fumana lekunutu ('me re le ngolle khoeleng) eo re tla e sebelisa bakeng sa tumello ho Keycloak:
Bareki —> kubernetes —> Bopaki —> Lekunutu
Sena se phethela ho seta, empa ke bile le phoso ha, kamora tumello e atlehileng, ke fumana phoso 403.
Lokisa:
Likarolo tsa Client —> likarolo —> Limmapa —> Theha
'Mapa
Script khoutu
// add current client-id to token audience
token.addAudience(token.getIssuedFor());
// return token issuer as dummy result assigned to iss again
token.getIssuer();
Ho lokisa Kubernetes
Re hloka ho hlakisa hore na setifikeiti sa rona sa motso se tsoa sebakeng sa marang-rang se hokae, le hore na mofani oa OIDC o hokae.
Ho etsa sena, hlophisa faele /etc/kubernetes/manifests/kube-apiserver.yaml
kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Ntlafatsa tlhophiso ea kubeadm sehlopheng:
kubeadmconfig
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Ho beha auth-proxy
U ka sebelisa senotlolo sa heke ho sireletsa ts'ebeliso ea hau ea webo. Ntle le taba ea hore proxy ena e ka morao e tla fana ka tumello ea mosebelisi pele e bontša leqephe, e tla fetisa tlhahisoleseling ka uena ho sesebelisoa sa ho qetela lihloohong. Kahoo, haeba kopo ea hau e tšehetsa OpenID, joale mosebedisi o lumelloa hang-hang. Nahana ka mohlala oa Kubernetes Dashboard
Ho kenya Kubernetes Dashboard
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml
values_dashboard.yaml
enableInsecureLogin: true
service:
externalPort: 80
rbac:
clusterAdminRole: true
create: true
serviceAccount:
create: true
name: 'dashboard-test'
Ho beha litokelo tsa ho kena:
Ha re theheng ClusterRoleBinding e tla fana ka litokelo tsa admin tsa cluster (standard ClusterRole cluster-admin) bakeng sa basebelisi ba sehlopha sa DataOPS.
kubectl apply -f rbac.yaml
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dataops_group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: DataOPS
Kenya molebeli oa heke oa keycloak:
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml
values_proxy.yaml
# Включаем ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
path: /
hosts:
- kubernetes-dashboard.example.org
tls:
- secretName: tls-keycloak
hosts:
- kubernetes-dashboard.example.org
# Говорим где мы будем авторизовываться у OIDC провайдера
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# Имя клиента которого мы создали в Keycloak
ClientID: "kubernetes"
# Secret который я просил записать
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Куда перенаправить в случае успешной авторизации. Формат <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# Пропускаем проверку сертификата, если у нас самоподписанный
skipOpenidProviderTlsVerify: true
# Настройка прав доступа, пускаем на все path если мы в группе DataOPS
rules:
- "uri=/*|groups=DataOPS"
Ka mor'a moo, ha u leka ho ea
ho kenya gangway
Bakeng sa boiketlo, o ka eketsa gangway e tla hlahisa faele ea config bakeng sa kubectl, ka thuso eo re tla kena ho eona Kubernetes tlas'a mosebedisi oa rona.
helm install --name gangway stable/gangway -f values_gangway.yaml
values_gangway.yaml
gangway:
# Произвольное имя кластера
clusterName: "my-k8s"
# Где у нас OIDC провайдер
authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
# Теоритически сюда можно добавить groups которые мы замапили
scopes: ["openid", "profile", "email", "offline_access"]
redirectURL: "https://gangway.example.org/callback"
# Имя клиента
clientID: "kubernetes"
# Секрет
clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Если оставить дефолтное значние, то за имя пользователя будет братья <b>Frist name</b> <b>Second name</b>, а при "sub" его логин
usernameClaim: "sub"
# Доменное имя или IP адресс API сервера
apiServerURL: "https://192.168.99.111:8443"
# Включаем Ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
path: /
hosts:
- gangway.example.org
tls:
- secretName: tls-keycloak
hosts:
- gangway.example.org
# Если используем самоподписанный сертификат, то его(открытый корневой сертификат) надо указать.
trustedCACert: |-
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
-----END CERTIFICATE-----
E shebahala tjena. E u lumella ho khoasolla faele ea config hang-hang 'me u e hlahise u sebelisa sete ea litaelo:
Source: www.habr.com