Kuring nampilkeun ka perhatian Anjeun tutorial pikeun generating aksés ka klaster Kubernetes maké Dex, dex-k8s-authenticator na GitHub.
Meme lokal tina obrolan Kubernetes basa Rusia di
perkenalan
Kami nganggo Kubernetes pikeun nyiptakeun lingkungan dinamis pikeun pamekaran sareng tim QA. Janten urang hoyong masihan aranjeunna aksés kana klaster pikeun dasbor sareng kubectl. Beda sareng OpenShift, vanili Kubernetes henteu gaduh auténtikasi asli, janten kami nganggo alat pihak katilu pikeun ieu.
Dina konfigurasi ieu kami nganggo:
- - aplikasi wéb pikeun ngahasilkeun kubectl config
- - panyadia OpenID Connect
- GitHub - ngan kusabab kami nganggo GitHub di perusahaan kami
Urang diusahakeun make Google OIDC, tapi hanjakalna urang pikeun ngamimitian aranjeunna sareng grup, janten integrasi sareng GitHub cocog sareng kami. Tanpa pemetaan grup, moal mungkin nyieun kawijakan RBAC dumasar kana grup.
Janten, kumaha prosés otorisasina Kubernetes urang tiasa dianggo dina perwakilan visual:
Prosés otorisasina
Sakedik langkung rinci sareng titik-demi titik:
- Pamaké asup kana dex-k8s-authenticator (
login.k8s.example.com) - dex-k8s-authenticator neraskeun pamundut ka Dex (
dex.k8s.example.com) - Dex alihan ka kaca login GitHub
- GitHub ngahasilkeun inpormasi otorisasi anu diperyogikeun sareng uih deui ka Dex
- Dex ngirimkeun inpormasi anu ditampi ka dex-k8s-authenticator
- Pamaké nampi token OIDC ti GitHub
- dex-k8s-authenticator nambihan token kana kubeconfig
- kubectl ngalirkeun token ka KubeAPIServer
- KubeAPIServer mulangkeun aksés ka kubectl dumasar kana token anu diliwatan
- Pamaké meunang aksés ti kubectl
Laku préparasi
Tangtosna, urang parantos dipasang klaster Kubernetes (k8s.example.com), sarta ogé hadir kalawan HELM tos dipasang. Urang ogé boga organisasi dina GitHub (super-org).
Upami anjeun teu gaduh HELM, pasang .
Mimiti urang kedah nyetél GitHub.
Buka kaca setelan organisasi, (https://github.com/organizations/super-org/settings/applications) jeung nyieun aplikasi anyar (Otorisasi OAuth App):
Nyieun aplikasi anyar dina GitHub
Eusian kolom sareng URL anu diperyogikeun, contona:
- URL halaman utama:
https://dex.k8s.example.com - URL panggero balik otorisasi:
https://dex.k8s.example.com/callback
Kudu ati kalawan tumbu, hal anu penting teu leungit slashes.
Dina respon kana formulir réngsé, GitHub bakal ngahasilkeun Client ID и Client secret, Simpen di tempat anu aman, aranjeunna bakal mangpaat pikeun urang (contona, urang nganggo pikeun nyimpen Rahasia):
Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1
Nyiapkeun rékaman DNS pikeun subdomains login.k8s.example.com и dex.k8s.example.com, kitu ogé sertipikat SSL pikeun ingress.
Hayu urang ngadamel sertipikat SSL:
cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-dex
namespace: kube-system
spec:
secretName: cert-auth-dex
dnsNames:
- dex.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- dex.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cert-auth-login
namespace: kube-system
spec:
secretName: cert-auth-login
dnsNames:
- login.k8s.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- login.k8s.example.com
issuerRef:
name: le-clusterissuer
kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system
ClusterIssuer kalawan judul le-clusterissuer kedahna parantos aya, tapi upami henteu, jieun nganggo HELM:
helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: le-clusterissuer
namespace: kube-system
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: le-clusterissuer
http01: {}
EOFKonfigurasi KubeAPIServer
Pikeun kubeAPIServer tiasa dianggo, anjeun kedah ngonpigurasikeun OIDC sareng ngapdet klaster:
kops edit cluster
...
kubeAPIServer:
anonymousAuth: false
authorizationMode: RBAC
oidcClientID: dex-k8s-authenticator
oidcGroupsClaim: groups
oidcIssuerURL: https://dex.k8s.example.com/
oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yesKami nganggo pikeun deploying klaster, tapi ieu jalan sarupa pikeun .
Konfigurasi Dex sareng dex-k8s-authenticator
Pikeun Dex tiasa dianggo, anjeun kedah gaduh sertipikat sareng konci ti master Kubernetes, hayu urang angkat ti dinya:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----Hayu urang clone gudang dex-k8s-authenticator:
git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/Nganggo file nilai, urang tiasa sacara fleksibel ngonpigurasikeun variabel pikeun urang .
Hayu urang ngajelaskeun konfigurasi pikeun Dex:
cat << EOF > values-dex.yml
global:
deployEnv: prod
tls:
certificate: |-
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.k8s.example.com
tls:
- secretName: cert-auth-dex
hosts:
- dex.k8s.example.com
serviceAccount:
create: true
name: dex-auth-sa
config: |
issuer: https://dex.k8s.example.com/
storage: # https://github.com/dexidp/dex/issues/798
type: sqlite3
config:
file: /var/dex.db
web:
http: 0.0.0.0:5556
frontend:
theme: "coreos"
issuer: "Example Co"
issuerUrl: "https://example.com"
logoUrl: https://example.com/images/logo-250x25.png
expiry:
signingKeys: "6h"
idTokens: "24h"
logger:
level: debug
format: json
oauth2:
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.k8s.example.com/callback
orgs:
- name: super-org
teams:
- team-red
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
secret: generatedLongRandomPhrase
redirectURIs:
- https://login.k8s.example.com/callback/
envSecrets:
GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF
Sareng pikeun dex-k8s-authenticator:
cat << EOF > values-auth.yml
global:
deployEnv: prod
dexK8sAuthenticator:
clusters:
- name: k8s.example.com
short_description: "k8s cluster"
description: "Kubernetes cluster"
issuer: https://dex.k8s.example.com/
k8s_master_uri: https://api.k8s.example.com
client_id: dex-k8s-authenticator
client_secret: generatedLongRandomPhrase
redirect_uri: https://login.k8s.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- login.k8s.example.com
tls:
- secretName: cert-auth-login
hosts:
- login.k8s.example.com
EOFPasang Dex sareng dex-k8s-authenticator:
helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticatorHayu urang parios pungsionalitas jasa (Dex kedah uih deui kode 400, sareng dex-k8s-authenticator kedah uih deui kode 200):
curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200Konfigurasi RBAC
Urang nyieun ClusterRole pikeun grup, bisi urang kalawan aksés baca-hijina:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOFHayu urang nyieun konfigurasi pikeun ClusterRoleBinding:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOFAyeuna kami siap pikeun nguji.
Tés
Pindah ka halaman login (https://login.k8s.example.com) sareng lebet nganggo akun GitHub anjeun:
Kaca login
Kaca login dialihkeun ka GitHub
Turutan parentah dihasilkeun pikeun meunangkeun aksés
Saatos nyalin-témpél tina halaman wéb, urang tiasa nganggo kubectl pikeun ngatur sumber kluster urang:
kubectl get po
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3d
kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"
Sareng tiasa dianggo, sadaya pangguna GitHub dina organisasi urang tiasa ningali sumber sareng asup kana pods, tapi aranjeunna henteu ngagaduhan hak pikeun ngarobihana.
sumber: www.habr.com