Thupelo e nyane mabapi le mokhoa oa ho sebelisa Keycloak ho hokela Kubernetes ho seva sa hau sa LDAP le ho theha kantle ho naha ea basebelisi le lihlopha. Sena se tla u lumella ho theha RBAC bakeng sa basebelisi ba hau le ho sebelisa auth-proxy ho sireletsa Kubernetes Dashboard le lisebelisoa tse ling tse sa tsebeng ho iketsetsa tumello.
Ho kenya Keycloak
Ha re nke hore u se u ntse u e-na le seva sa LDAP. E ka ba Active Directory, FreeIPA, OpenLDAP kapa eng kapa eng. Haeba u se na seva sa LDAP, joale ha e le hantle u ka etsa basebelisi ka ho toba ka har'a sebopeho sa Keycloak, kapa u sebelise bafani ba oidc ea sechaba (Google, Github, Gitlab), sephetho se tla batla se tšoana.
Pele ho tsohle, a re kenye Keycloak ka boeona, ho kenya ho ka etsoa ka thoko, kapa ka ho toba sehlopheng sa Kubernetes, e le molao, haeba u na le lihlopha tse 'maloa tsa Kubernetes, ho ka ba bonolo ho e kenya ka thoko. Ka lehlakoreng le leng, u ka sebelisa kamehla
Ho boloka data ea Keycloak, o tla hloka database. Ea kamehla ke h2
(lintlha tsohle li bolokiloe sebakeng sa heno), empa hape hoa khoneha ho li sebelisa postgres
, mysql
kapa mariadb
.
Haeba u ntse u nka qeto ea ho kenya Keycloak ka thoko, u ka fumana litaelo tse qaqileng ho feta
Ho hlophisoa ha Federation
Pele ho tsohle, ha re theheng sebaka se secha. Realm ke sebaka sa ts'ebeliso ea rona. Sesebelisoa se seng le se seng se ka ba le sebaka sa sona se nang le basebelisi ba fapaneng le litlhophiso tsa tumello. Sebaka sa master se sebelisoa ke Keycloak ka boeona mme ho se sebelisa bakeng sa eng kapa eng e fosahetseng.
Sututsa Kenya sebaka
kgetho
latela boleng ba
lebitso
kubernetes
Lebitso le hlahang
Kubernetes
HTML Lebitso la Pontsho
<img src="https://kubernetes.io/images/nav_logo.svg" width="400" >
Kubernetes e lekola hore na lengolo-tsoibila la mosebelisi le tiisitsoe kapa che. Kaha re sebelisa seva sa rona sa LDAP, cheke ena e tla lula e khutla false
. Ha re emiseng boemeli ba tlhophiso ena ho Kubernetes:
Likarolo tsa bareki -> Email -> Limmapa -> imeile e netefalitsoe (Phumula)
Joale ha re theheng federation, bakeng sa sena re ea ho:
Mokhatlo oa basebelisi -> Kenya mofani oa litšebeletso... -> ldap
Mona ke mohlala oa setup bakeng sa FreeIPA:
kgetho
latela boleng ba
Lebitso la Pontšo ea Console
freeipa.example.org
morekisi
Red Hat Directory Server
UUID LDAP tšobotsi
ipauniqueid
URL ea khokahano
ldaps://freeipa.example.org
Mosebelisi DN
cn=users,cn=accounts,dc=example,dc=org
Tlama DN
uid=keycloak-svc,cn=users,cn=accounts,dc=example,dc=org
Tlama bopaki
<password>
Dumella netefatso ya Kerberos:
on
Sebaka sa Kerberos:
EXAMPLE.ORG
Mosuoe-hlooho oa Seva:
HTTP/[email protected]
konopo ea senotlolo:
/etc/krb5.keytab
Mosebelisi keycloak-svc
e tlameha ho etsoa esale pele ho seva sa rona sa LDAP.
Tabeng ea Active Directory, khetha feela Morekisi: Bukana e sebetsang 'me litlhophiso tse hlokahalang li tla kenngoa ka har'a foromo ka bo eona.
Sututsa Save
Joale ha re tsoeleng pele:
Mokhatlo oa basebelisi -> freeipa.example.org -> Limmapa -> Lebitso la pele
kgetho
latela boleng ba
Ldap litšobotsi
givenName
Joale lumella 'mapa oa lihlopha:
Mokhatlo oa basebelisi -> freeipa.example.org -> Limmapa -> Create
kgetho
latela boleng ba
lebitso
groups
Mofuta oa 'mapa
group-ldap-mapper
Lihlopha tsa LDAP DN
cn=groups,cn=accounts,dc=example,dc=org
Leano la ho Khutlisa Sehlopha sa Basebetsi
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
Sena se phethela tlhophiso ea federation, ha re tsoeleng pele ho theha moreki.
Tlhophiso ea bareki
Ha re theheng moreki e mocha (ts'ebeliso e tla amohela basebelisi ho tsoa ho Keycloak). Ha re ee:
bareki -> Create
kgetho
latela boleng ba
ID ea bareki
kubernetes
Mofuta oa Phihlelo
confidenrial
Motso URL
http://kubernetes.example.org/
Li-URI tse sebetsang hape
http://kubernetes.example.org/*
Admin URL
http://kubernetes.example.org/
Hape re tla theha sebaka sa lihlopha:
Likarolo tsa bareki -> Create
kgetho
latela boleng ba
thempleite
No template
lebitso
groups
Tsela e feletseng ea sehlopha
false
'Me u ba etsetse 'mapa:
Likarolo tsa bareki -> lihlopha -> Limmapa -> Create
kgetho
latela boleng ba
lebitso
groups
Mofuta oa 'Mapa
Group membership
Lebitso la Kopo ea Letšoao
groups
Joale re hloka ho lumella 'mapa oa lihlopha sebakeng sa bareki ba rona:
bareki -> hobernetes -> Likarolo tsa bareki -> Mekhahlelo e Ikemetseng ea Bareki
Khetha lihlopha в Likarolo tse fumanehang tsa Client, tobetsa Kenya e khethiloeng
Joale ha re theheng netefatso ea kopo ea rona, ea ho:
bareki -> hobernetes
kgetho
latela boleng ba
Authorization e Matlafalitsoe
ON
Ha re sutumetseng Pholosa mme sena se phethela ho seta ha moreki, hona joale ho tab
bareki -> hobernetes -> Litšireletso
o ka fumana Secret eo re tla e sebelisa hamorao.
Ho lokisa Kubernetes
Ho theha Kubernetes bakeng sa tumello ea OIDC ha ho na letho ebile ha se ntho e thata haholo. Seo u hlokang ho se etsa feela ke ho kenya setifikeiti sa CA sa seva sa hau sa OIDC ho /etc/kubernetes/pki/oidc-ca.pem
'me u kenye likhetho tse hlokahalang bakeng sa kube-apiserver.
Ho etsa sena, ntlafatsa /etc/kubernetes/manifests/kube-apiserver.yaml
ho beng ba hao bohle:
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.pem
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Hape u ntlafatse tlhophiso ea kubeadm ka har'a sehlopha hore u se ke oa lahleheloa ke litlhophiso tsena nakong ea ntlafatso:
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /etc/kubernetes/pki/oidc-ca.pem
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Sena se phethela ho seta ho Kubernetes. U ka pheta mehato ena ho lihlopha tsohle tsa hau tsa Kubernetes.
Tumello ea Pele
Kamora mehato ena, o tla be o se o na le sehlopha sa Kubernetes se nang le tumello ea OIDC e hlophisitsoeng. Taba feela ke hore basebelisi ba hau ha ba so be le moreki ea hlophisitsoeng, hammoho le kubeconfig ea bona. Ho rarolla bothata bona, o hloka ho hlophisa tlhahiso ea othomathike ea kubeconfig ho basebelisi kamora tumello e atlehileng.
Ho etsa sena, o ka sebelisa lits'ebetso tse ikhethileng tsa webo tse u lumellang ho netefatsa mosebelisi ebe u khoasolla beconfig e phethiloeng. E 'ngoe ea tse loketseng ka ho fetisisa ke
Ho hlophisa Kuberos, ho lekane ho hlalosa template ea kubeconfig le ho e tsamaisa ka liparamente tse latelang:
kuberos https://keycloak.example.org/auth/realms/kubernetes kubernetes /cfg/secret /cfg/template
Bakeng sa lintlha tse ling bona
Hape hoa khoneha ho sebelisa
Sephetho sa kubeconfig se ka hlahlojoa sebakeng sa marang-rang users[].user.auth-provider.config.id-token
ho tloha ho kubeconfig ho ea ho foromo e fumanehang sebakeng sa marang-rang 'me u fumane sengoloa hang-hang.
Ho theha RBAC
Ha o hlophisa RBAC, o ka bua ka lebitso la mosebelisi ka bobeli (field name
letshwaong la jwt) le bakeng sa sehlopha sa basebelisi (tšimo groups
ka letshwao la jwt). Mohlala ke ona oa ho beha litumello bakeng sa sehlopha kubernetes-default-namespace-admins
:
kubernetes-default-namespace-admins.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-admins
namespace: default
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-default-namespace-admins
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-admins
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: kubernetes-default-namespace-admins
Mehlala e meng ea RBAC e ka fumanoa ho
Ho beha auth-proxy
Ho na le morero o babatsehang
dashboard-proxy.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard-proxy
spec:
replicas: 1
template:
metadata:
labels:
app: kubernetes-dashboard-proxy
spec:
containers:
- args:
- --listen=0.0.0.0:80
- --discovery-url=https://keycloak.example.org/auth/realms/kubernetes
- --client-id=kubernetes
- --client-secret=<your-client-secret-here>
- --redirection-url=https://kubernetes-dashboard.example.org
- --enable-refresh-tokens=true
- --encryption-key=ooTh6Chei1eefooyovai5ohwienuquoh
- --upstream-url=https://kubernetes-dashboard.kube-system
- --resources=uri=/*
image: keycloak/keycloak-gatekeeper
name: kubernetes-dashboard-proxy
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
readinessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-proxy
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: kubernetes-dashboard-proxy
type: ClusterIP
Source: www.habr.com