Re tiisa tumello ea ActiveDirectory ho Kubernetes re sebelisa Keycloak

Sengoliloeng sena se ngoletsoe ho atolosa se seng se ntse se le teng e teng, empa e bua ka likarolo tsa sephutheloana ka Microsoft ActiveDirectory, hape e tlatselletsa.

Sehloohong sena ke tla u bolella mokhoa oa ho kenya le ho lokisa:

• kobo ea senotlolo ke morero oa mohloli o bulehileng. E fanang ka ntlha e le 'ngoe ea ho kena bakeng sa likopo. E sebetsa ka liprothokholo tse ngata, ho kenyeletsoa LDAP le OpenID tseo re li ratang.
• molebeli oa heke oa senotlolo - ts'ebeliso ea projeke ea morao e u lumellang ho kopanya tumello ka Keycloak.
• gangway - sesebelisoa se hlahisang config bakeng sa kubectl eo u ka kenang ka eona le ho hokela Kubernetes API ka OpenID.

Litumello li sebetsa joang Kubernetes.

Re ka khona ho laola litokelo tsa basebelisi / sehlopha re sebelisa RBAC, ho se ho entsoe lingoliloeng tse ngata mabapi le sena, nke ke ka lula ho sena ka botlalo. Bothata ke hore o ka sebelisa RBAC ho thibela litokelo tsa basebelisi, empa Kubernetes ha a tsebe letho ka basebelisi. Hoa fumaneha hore re hloka mokhoa oa ho tsamaisa basebelisi ho Kubernetes. Ho etsa sena, re tla eketsa mofani oa Kuberntes OpenID, e tla re mosebelisi ea joalo o teng, mme Kubernetes ka boeena o tla mo fa litokelo.

Ho lokisetsa

• U tla hloka sehlopha sa Kubernetes kapa minikube
• Active Directory
• Libaka:
  keycloak.example.org
  kubernetes-dashboard.example.org
  gangway.example.org
• Setifikeiti sa libaka kapa setifikeiti se ingoletseng

Ha ke na ho bua ka mokhoa oa ho theha setifikeiti sa ho ingolisa, o hloka ho etsa litifikeiti tse 2, ona ke motso (Certificate Authority) le moreki oa wildcard bakeng sa *.example.org domain

Kamora ho amohela / ho fana ka setifikeiti, moreki o tlameha ho eketsoa ho Kubernetes, hobane sena re se etsetsa lekunutu:

kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pem

Ka mor'a moo, re tla e sebelisa bakeng sa molaoli oa rona oa Ingress.

Ho kenya Keycloak

Ke ile ka etsa qeto ea hore tsela e bonolo ka ho fetisisa ke ho sebelisa litharollo tse lokiselitsoeng bakeng sa sena, e leng lichate tsa helm.

Kenya polokelo 'me u e ntlafatse:

helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update

Theha faele ea keycloak.yml e nang le litaba tse latelang:

keycloak.yml

keycloak:
  # Имя администратора
  username: "test_admin"
  # Пароль администратор  
  password: "admin"
  # Эти флаги нужны что бы позволить загружать в Keycloak скрипты прямо через web морду. Это нам 
  понадобиться что бы починить один баг, о котором ниже.
  extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled" 
  # Включаем ingress, указываем имя хоста и сертификат который мы предварительно сохранили в secrets
  ingress:
    enabled: true 
    path: /
    annotations:
      kubernetes.io/ingress.class: nginx
      ingress.kubernetes.io/affinity: cookie
    hosts:
      - keycloak.example.org
    tls:
    - hosts:
        - keycloak.example.org
      secretName: tls-keycloak
  # Keycloak для своей работы требует базу данных, в тестовых целях я разворачиваю Postgresql прямо в Kuberntes, в продакшене так лучше не делать!
  persistence:
    deployPostgres: true
    dbVendor: postgres

postgresql:
  postgresUser: keycloak
  postgresPassword: ""
  postgresDatabase: keycloak
  persistence:
    enabled: true

Ho hlophisoa ha Federation

Ka mor'a moo, ea ho web interface keycloak.example.org

Tobetsa hukung e leqeleng Kenya sebaka

Key
latela boleng ba

lebitso
hobernetes

Lebitso le hlahang
Kubernetes

Thibela netefatso ea lengolo-tsoibila la basebelisi:
Likarolo tsa bareki —> Imeile —> Limmapa —> Imeile e netefalitsoe (Phumula)

Re theha mokhatlo oa ho kenya basebelisi ho tsoa ho ActiveDirectory, ke tla siea li-screenshots ka tlase, ke nahana hore e tla hlaka haholoanyane.

Mokhatlo oa basebelisi —> Eketsa mofani… —> ldap

Ho hlophisoa ha Federation


Haeba tsohle li lokile, ka mor'a ho tobetsa konopo Amahanya basebelisi bohle u tla bona molaetsa mabapi le thomello e atlehileng ea basebelisi.

Ka mor'a moo re hloka ho etsa 'mapa oa lihlopha tsa rona

Mokhatlo oa basebelisi -> ldap_localhost --> Limmapa --> Theha

Ho theha 'mapa

Tlhophiso ea bareki

Hoa hlokahala ho theha moreki, ho latela Keycloak, ena ke kopo e tla lumelloa ho tsoa ho eena. Ke tla totobatsa lintlha tsa bohlokoa skrineng ka bofubelu.

Bareki —> Theha

Tlhophiso ea bareki

Ha re theheng scoupe bakeng sa lihlopha:

Likarolo tsa Client —> Theha

Etsa sebaka

'Me u ba etsetse 'mapa:

Likarolo tsa Client —> lihlopha —> Limmapa —> Theha

'Mapa

Kenya 'mapa oa lihlopha tsa rona ho Mekhahlelo e Ikemetseng ea Bareki:

Bareki -> kubernetes -> Melemo ea bareki -> Mehato ea kamehla ea bareki
Khetha lihlopha в Likarolo tse fumanehang tsa Client, tobetsa Kenya e khethiloeng

Re fumana lekunutu ('me re le ngolle khoeleng) eo re tla e sebelisa bakeng sa tumello ho Keycloak:

Bareki —> kubernetes —> Bopaki —> Lekunutu
Sena se phethela ho seta, empa ke bile le phoso ha, kamora tumello e atlehileng, ke fumana phoso 403. Tlaleho ea bug.

Lokisa:

Likarolo tsa Client —> likarolo —> Limmapa —> Theha

'Mapa

Script khoutu

// add current client-id to token audience
token.addAudience(token.getIssuedFor());

// return token issuer as dummy result assigned to iss again
token.getIssuer();

Ho lokisa Kubernetes

Re hloka ho hlakisa hore na setifikeiti sa rona sa motso se tsoa sebakeng sa marang-rang se hokae, le hore na mofani oa OIDC o hokae.
Ho etsa sena, hlophisa faele /etc/kubernetes/manifests/kube-apiserver.yaml

kube-apiserver.yaml

...
spec:
  containers:
  - command:
    - kube-apiserver
...
    - --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
    - --oidc-client-id=kubernetes
    - --oidc-groups-claim=groups
    - --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
    - --oidc-username-claim=email
...

Ntlafatsa tlhophiso ea kubeadm sehlopheng:

kubeadmconfig

kubectl edit -n kube-system configmaps kubeadm-config

...
data:
  ClusterConfiguration: |
    apiServer:
      extraArgs:
        oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
        oidc-client-id: kubernetes
        oidc-groups-claim: groups
        oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
        oidc-username-claim: email
...

Ho beha auth-proxy

U ka sebelisa senotlolo sa heke ho sireletsa ts'ebeliso ea hau ea webo. Ntle le taba ea hore proxy ena e ka morao e tla fana ka tumello ea mosebelisi pele e bontša leqephe, e tla fetisa tlhahisoleseling ka uena ho sesebelisoa sa ho qetela lihloohong. Kahoo, haeba kopo ea hau e tšehetsa OpenID, joale mosebedisi o lumelloa hang-hang. Nahana ka mohlala oa Kubernetes Dashboard

Ho kenya Kubernetes Dashboard

helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml

values_dashboard.yaml

enableInsecureLogin: true
service:
  externalPort: 80
rbac:
  clusterAdminRole: true
  create: true
serviceAccount:
  create: true
  name: 'dashboard-test'

Ho beha litokelo tsa ho kena:

Ha re theheng ClusterRoleBinding e tla fana ka litokelo tsa admin tsa cluster (standard ClusterRole cluster-admin) bakeng sa basebelisi ba sehlopha sa DataOPS.

kubectl apply -f rbac.yaml

rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dataops_group
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: DataOPS

Kenya molebeli oa heke oa keycloak:

helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml

values_proxy.yaml

# Включаем ingress
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
  path: /
  hosts:
    - kubernetes-dashboard.example.org
  tls:
   - secretName: tls-keycloak
     hosts:
       - kubernetes-dashboard.example.org

# Говорим где мы будем авторизовываться у OIDC провайдера
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# Имя клиента которого мы создали в Keycloak
ClientID: "kubernetes"
# Secret который я просил записать
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Куда перенаправить в случае успешной авторизации. Формат <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# Пропускаем проверку сертификата, если у нас самоподписанный
skipOpenidProviderTlsVerify: true
# Настройка прав доступа, пускаем на все path если мы в группе DataOPS
rules:
  - "uri=/*|groups=DataOPS"

Ka mor'a moo, ha u leka ho ea kubernetes-dashboard.example.org, re tla fetisetsoa ho Keycloak 'me haeba ho ka ba le tumello e atlehileng re tla fihla Dashboard e seng e kene.

ho kenya gangway

Bakeng sa boiketlo, o ka eketsa gangway e tla hlahisa faele ea config bakeng sa kubectl, ka thuso eo re tla kena ho eona Kubernetes tlas'a mosebedisi oa rona.

helm install --name gangway stable/gangway -f values_gangway.yaml

values_gangway.yaml

gangway:
  # Произвольное имя кластера
  clusterName: "my-k8s"
  # Где у нас OIDC провайдер
  authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
  tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
  audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
  # Теоритически сюда можно добавить groups которые мы замапили
  scopes: ["openid", "profile", "email", "offline_access"]
  redirectURL: "https://gangway.example.org/callback"
  # Имя клиента
  clientID: "kubernetes"
  # Секрет
  clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
  # Если оставить дефолтное значние, то за имя пользователя будет братья <b>Frist name</b> <b>Second name</b>, а при "sub" его логин
  usernameClaim: "sub"
  # Доменное имя или IP адресс API сервера
  apiServerURL: "https://192.168.99.111:8443"

# Включаем Ingress
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
  path: /
  hosts:
  - gangway.example.org
  tls:
  - secretName: tls-keycloak
    hosts:
      - gangway.example.org

# Если используем самоподписанный сертификат, то его(открытый корневой сертификат) надо указать.
trustedCACert: |-
 -----BEGIN CERTIFICATE-----
 MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
 -----END CERTIFICATE-----

E shebahala tjena. E u lumella ho khoasolla faele ea config hang-hang 'me u e hlahise u sebelisa sete ea litaelo:

Source: www.habr.com