Ushbu maqola allaqachon ma'lumotni kengaytirish uchun yozilgan , lekin Microsoft ActiveDirectory bilan to'plamning xususiyatlari haqida gapiradi va uni to'ldiradi.
Ushbu maqolada men sizga qanday o'rnatish va sozlashni aytaman:
- kalit plash ochiq kodli loyihadir. Bu ilovalar uchun yagona kirish nuqtasini ta'minlaydi. Ko'pgina protokollar, jumladan, bizni qiziqtirgan LDAP va OpenID bilan ishlaydi.
- kalit plash darvozaboni - Keycloak orqali avtorizatsiyani birlashtirish imkonini beruvchi teskari proksi-ilova.
- o'tish yo'li - kubectl uchun konfiguratsiyani yaratadigan dastur, uning yordamida siz tizimga kirishingiz va OpenID orqali Kubernetes API-ga ulanishingiz mumkin.
Ruxsatlar Kubernetesda qanday ishlaydi.
Biz RBAC-dan foydalangan holda foydalanuvchi / guruh huquqlarini boshqarishimiz mumkin, bu haqda bir qancha maqolalar allaqachon yaratilgan, men bu haqda batafsil to'xtalmayman. Muammo shundaki, siz RBAC-dan foydalanuvchi huquqlarini cheklash uchun foydalanishingiz mumkin, ammo Kubernetes foydalanuvchilar haqida hech narsa bilmaydi. Ma'lum bo'lishicha, bizga Kubernetes-da foydalanuvchilarni etkazib berish mexanizmi kerak. Buning uchun biz Kuberntes OpenID-ga provayderni qo'shamiz, u bunday foydalanuvchi haqiqatan ham borligini aytadi va Kubernetesning o'zi unga huquqlarni beradi.
o'quv
- Sizga Kubernetes klasteri yoki minikube kerak bo'ladi
- Active Directory
- Domenlar:
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org - Domenlar uchun sertifikat yoki o'z-o'zidan imzolangan sertifikat
O'z-o'zidan imzolangan sertifikatni qanday yaratish haqida to'xtalmayman, siz 2 ta sertifikat yaratishingiz kerak, bu ildiz (sertifikat organi) va *.example.org domeni uchun joker mijoz.
Sertifikatlarni olganingizdan / berganingizdan so'ng, mijoz Kubernetes-ga qo'shilishi kerak, buning uchun biz uning sirini yaratamiz:
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pemKeyinchalik, biz uni Ingress boshqaruvchisi uchun ishlatamiz.
Keycloak o'rnatish
Men eng oson yo'li buning uchun tayyor echimlardan, ya'ni rul diagrammalaridan foydalanishga qaror qildim.
Repozitoriyni o'rnating va uni yangilang:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo updateQuyidagi tarkibga ega keycloak.yml faylini yarating:
keycloak.yml
keycloak:
# ΠΠΌΡ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡΠ°
username: "test_admin"
# ΠΠ°ΡΠΎΠ»Ρ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡ
password: "admin"
# ΠΡΠΈ ΡΠ»Π°Π³ΠΈ Π½ΡΠΆΠ½Ρ ΡΡΠΎ Π±Ρ ΠΏΠΎΠ·Π²ΠΎΠ»ΠΈΡΡ Π·Π°Π³ΡΡΠΆΠ°ΡΡ Π² Keycloak ΡΠΊΡΠΈΠΏΡΡ ΠΏΡΡΠΌΠΎ ΡΠ΅ΡΠ΅Π· web ΠΌΠΎΡΠ΄Ρ. ΠΡΠΎ Π½Π°ΠΌ
ΠΏΠΎΠ½Π°Π΄ΠΎΠ±ΠΈΡΡΡΡ ΡΡΠΎ Π±Ρ ΠΏΠΎΡΠΈΠ½ΠΈΡΡ ΠΎΠ΄ΠΈΠ½ Π±Π°Π³, ΠΎ ΠΊΠΎΡΠΎΡΠΎΠΌ Π½ΠΈΠΆΠ΅.
extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ ingress, ΡΠΊΠ°Π·ΡΠ²Π°Π΅ΠΌ ΠΈΠΌΡ Ρ
ΠΎΡΡΠ° ΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΠΊΠΎΡΠΎΡΡΠΉ ΠΌΡ ΠΏΡΠ΅Π΄Π²Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎ ΡΠΎΡ
ΡΠ°Π½ΠΈΠ»ΠΈ Π² secrets
ingress:
enabled: true
path: /
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.example.org
tls:
- hosts:
- keycloak.example.org
secretName: tls-keycloak
# Keycloak Π΄Π»Ρ ΡΠ²ΠΎΠ΅ΠΉ ΡΠ°Π±ΠΎΡΡ ΡΡΠ΅Π±ΡΠ΅Ρ Π±Π°Π·Ρ Π΄Π°Π½Π½ΡΡ
, Π² ΡΠ΅ΡΡΠΎΠ²ΡΡ
ΡΠ΅Π»ΡΡ
Ρ ΡΠ°Π·Π²ΠΎΡΠ°ΡΠΈΠ²Π°Ρ Postgresql ΠΏΡΡΠΌΠΎ Π² Kuberntes, Π² ΠΏΡΠΎΠ΄Π°ΠΊΡΠ΅Π½Π΅ ΡΠ°ΠΊ Π»ΡΡΡΠ΅ Π½Π΅ Π΄Π΅Π»Π°ΡΡ!
persistence:
deployPostgres: true
dbVendor: postgres
postgresql:
postgresUser: keycloak
postgresPassword: ""
postgresDatabase: keycloak
persistence:
enabled: trueFederatsiyani o'rnatish
Keyin veb-interfeysga o'ting
Chap burchakda bosing Hudud qo'shing
kalit
qiymati
Ism
kubernetlar
Ko'rsatiladigan ism
Kubernetes
Foydalanuvchi elektron pochta tekshiruvini o'chirish:
Mijoz doiralari -> Elektron pochta -> Xaritachilar -> Elektron pochta tasdiqlangan (O'chirish)
Biz ActiveDirectory'dan foydalanuvchilarni import qilish uchun federatsiyani o'rnatdik, men quyida skrinshotlarni qoldiraman, menimcha, bu aniqroq bo'ladi.
Foydalanuvchi federatsiyasi β> Provayder qoβshishβ¦ β> ldap
Federatsiyani o'rnatish
Agar hamma narsa yaxshi bo'lsa, tugmani bosgandan keyin Barcha foydalanuvchilarni sinxronlashtiring foydalanuvchilarni muvaffaqiyatli import qilish haqida xabarni ko'rasiz.
Keyin biz guruhlarimizni xaritalashimiz kerak
Foydalanuvchi federatsiyasi --> ldap_localhost --> Xaritachilar --> Yaratish
Mapper yaratish
Mijozni sozlash
Keycloak nuqtai nazaridan mijozni yaratish kerak, bu undan avtorizatsiya qilinadigan dastur. Skrinshotdagi muhim fikrlarni qizil rang bilan ta'kidlayman.
Mijozlar -> Yaratish
Mijozni sozlash
Keling, guruhlar uchun skupa yarataylik:
Mijoz doiralari -> Yaratish
Qo'llanish doirasini yaratish
Va ular uchun xaritachini o'rnating:
Mijoz doiralari -> guruhlar -> Xaritachilar -> Yaratish
Xaritachi
Guruhlarimiz xaritasini standart mijozlar doirasiga qo'shing:
Mijozlar -> kubernetes -> Mijoz doiralari -> Standart mijoz doiralari
Tanlaymiz Guruhlar Π² Mavjud mijozlar doiralaribosing Tanlangan qo'shish
Biz Keycloak-da avtorizatsiya qilish uchun foydalanadigan sirni olamiz (va uni mavzuga yozamiz):
Mijozlar -> kubernetes -> Hisob ma'lumotlari -> Sir
Bu sozlashni yakunlaydi, lekin muvaffaqiyatli avtorizatsiyadan so'ng 403 xatosini olganimda xatolik yuz berdi. .
Tuzatish:
Mijoz doiralari -> rollar -> Xaritachilar -> Yaratish
Xaritachi
Skript kodi
// add current client-id to token audience
token.addAudience(token.getIssuedFor());
// return token issuer as dummy result assigned to iss again
token.getIssuer();
Kubernetes sozlanmoqda
Saytdan olingan ildiz sertifikatimiz qayerda va OIDC provayderi qayerda joylashganligini ko'rsatishimiz kerak.
Buning uchun /etc/kubernetes/manifests/kube-apiserver.yaml faylini tahrirlang.
kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Klasterda kubeadm konfiguratsiyasini yangilang:
kubeadmconfig
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Autx-proksini sozlash
Veb-ilovangizni himoya qilish uchun keycloak gatekeeper-dan foydalanishingiz mumkin. Ushbu teskari proksi-server sahifani ko'rsatishdan oldin foydalanuvchiga ruxsat berishiga qo'shimcha ravishda, u siz haqingizda ma'lumotni sarlavhalardagi oxirgi ilovaga ham uzatadi. Shunday qilib, agar ilovangiz OpenID-ni qo'llab-quvvatlasa, foydalanuvchi darhol avtorizatsiya qilinadi. Kubernetes boshqaruv paneli misolini ko'rib chiqing
Kubernetes boshqaruv panelini o'rnatish
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml
values_dashboard.yaml
enableInsecureLogin: true
service:
externalPort: 80
rbac:
clusterAdminRole: true
create: true
serviceAccount:
create: true
name: 'dashboard-test'
Kirish huquqlarini sozlash:
DataOPS guruhidagi foydalanuvchilar uchun klaster administrator huquqlarini (standart ClusterRole klaster-administratori) beradigan ClusterRoleBinding yarataylik.
kubectl apply -f rbac.yaml
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dataops_group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: DataOPS
Keycloak gatekeeper-ni o'rnating:
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml
values_proxy.yaml
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
path: /
hosts:
- kubernetes-dashboard.example.org
tls:
- secretName: tls-keycloak
hosts:
- kubernetes-dashboard.example.org
# ΠΠΎΠ²ΠΎΡΠΈΠΌ Π³Π΄Π΅ ΠΌΡ Π±ΡΠ΄Π΅ΠΌ Π°Π²ΡΠΎΡΠΈΠ·ΠΎΠ²ΡΠ²Π°ΡΡΡΡ Ρ OIDC ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅ΡΠ°
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# ΠΠΌΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠ° ΠΊΠΎΡΠΎΡΠΎΠ³ΠΎ ΠΌΡ ΡΠΎΠ·Π΄Π°Π»ΠΈ Π² Keycloak
ClientID: "kubernetes"
# Secret ΠΊΠΎΡΠΎΡΡΠΉ Ρ ΠΏΡΠΎΡΠΈΠ» Π·Π°ΠΏΠΈΡΠ°ΡΡ
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ΠΡΠ΄Π° ΠΏΠ΅ΡΠ΅Π½Π°ΠΏΡΠ°Π²ΠΈΡΡ Π² ΡΠ»ΡΡΠ°Π΅ ΡΡΠΏΠ΅ΡΠ½ΠΎΠΉ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠΈ. Π€ΠΎΡΠΌΠ°Ρ <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# ΠΡΠΎΠΏΡΡΠΊΠ°Π΅ΠΌ ΠΏΡΠΎΠ²Π΅ΡΠΊΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°, Π΅ΡΠ»ΠΈ Ρ Π½Π°Ρ ΡΠ°ΠΌΠΎΠΏΠΎΠ΄ΠΏΠΈΡΠ°Π½Π½ΡΠΉ
skipOpenidProviderTlsVerify: true
# ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° ΠΏΡΠ°Π² Π΄ΠΎΡΡΡΠΏΠ°, ΠΏΡΡΠΊΠ°Π΅ΠΌ Π½Π° Π²ΡΠ΅ path Π΅ΡΠ»ΠΈ ΠΌΡ Π² Π³ΡΡΠΏΠΏΠ΅ DataOPS
rules:
- "uri=/*|groups=DataOPS"
Shundan so'ng, siz borishga harakat qilganingizda , biz Keycloak-ga yo'naltirilamiz va muvaffaqiyatli avtorizatsiya qilingan taqdirda biz allaqachon tizimga kirgan asboblar paneliga o'tamiz.
o'tish yo'lini o'rnatish
Qulaylik uchun siz kubectl uchun konfiguratsiya faylini yaratadigan o'tish joyini qo'shishingiz mumkin, uning yordamida biz foydalanuvchimiz ostida Kubernetesga kiramiz.
helm install --name gangway stable/gangway -f values_gangway.yaml
values_gangway.yaml
gangway:
# ΠΡΠΎΠΈΠ·Π²ΠΎΠ»ΡΠ½ΠΎΠ΅ ΠΈΠΌΡ ΠΊΠ»Π°ΡΡΠ΅ΡΠ°
clusterName: "my-k8s"
# ΠΠ΄Π΅ Ρ Π½Π°Ρ OIDC ΠΏΡΠΎΠ²Π°ΠΉΠ΄Π΅Ρ
authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
# Π’Π΅ΠΎΡΠΈΡΠΈΡΠ΅ΡΠΊΠΈ ΡΡΠ΄Π° ΠΌΠΎΠΆΠ½ΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡΡ groups ΠΊΠΎΡΠΎΡΡΠ΅ ΠΌΡ Π·Π°ΠΌΠ°ΠΏΠΈΠ»ΠΈ
scopes: ["openid", "profile", "email", "offline_access"]
redirectURL: "https://gangway.example.org/callback"
# ΠΠΌΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠ°
clientID: "kubernetes"
# Π‘Π΅ΠΊΡΠ΅Ρ
clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# ΠΡΠ»ΠΈ ΠΎΡΡΠ°Π²ΠΈΡΡ Π΄Π΅ΡΠΎΠ»ΡΠ½ΠΎΠ΅ Π·Π½Π°ΡΠ½ΠΈΠ΅, ΡΠΎ Π·Π° ΠΈΠΌΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ Π±ΡΠ΄Π΅Ρ Π±ΡΠ°ΡΡΡ <b>Frist name</b> <b>Second name</b>, Π° ΠΏΡΠΈ "sub" Π΅Π³ΠΎ Π»ΠΎΠ³ΠΈΠ½
usernameClaim: "sub"
# ΠΠΎΠΌΠ΅Π½Π½ΠΎΠ΅ ΠΈΠΌΡ ΠΈΠ»ΠΈ IP Π°Π΄ΡΠ΅ΡΡ API ΡΠ΅ΡΠ²Π΅ΡΠ°
apiServerURL: "https://192.168.99.111:8443"
# ΠΠΊΠ»ΡΡΠ°Π΅ΠΌ Ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
path: /
hosts:
- gangway.example.org
tls:
- secretName: tls-keycloak
hosts:
- gangway.example.org
# ΠΡΠ»ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ ΡΠ°ΠΌΠΎΠΏΠΎΠ΄ΠΏΠΈΡΠ°Π½Π½ΡΠΉ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ, ΡΠΎ Π΅Π³ΠΎ(ΠΎΡΠΊΡΡΡΡΠΉ ΠΊΠΎΡΠ½Π΅Π²ΠΎΠΉ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ) Π½Π°Π΄ΠΎ ΡΠΊΠ°Π·Π°ΡΡ.
trustedCACert: |-
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
-----END CERTIFICATE-----
Bu shunday ko'rinadi. Konfiguratsiya faylini darhol yuklab olish va uni buyruqlar to'plami yordamida yaratish imkonini beradi:
Manba: www.habr.com