Eli nqaku libhalelwe ukwandisa kwi esele , kodwa uthetha malunga neempawu zenqwaba eneMicrosoft ActiveDirectory, kwaye iyayincedisa.
Kweli nqaku ndiza kukuxelela indlela yokufaka kunye nokuqwalasela:
- isitshixo yiprojekthi yomthombo ovulekileyo. Ebonelela ngenqaku elinye lokungeniswa kwezicelo. Isebenza ngeeprothokholi ezininzi, kuquka i-LDAP kunye ne-OpenID esinomdla kuyo.
- isitshixo somgcini-sango -Reverse proxy application ekuvumela ukuba udibanise ugunyaziso ngeKeycloak.
- umgulukudu - isicelo esenza uqwalaselo lwe kubectl onokungena ngalo kwaye uqhagamshele kwi Kubernetes API nge OpenID.
Iimvume zisebenza njani eKubernetes.
Singakwazi ukulawula amalungelo omsebenzisi / eqela usebenzisa i-RBAC, iqela lamanqaku sele lenziwe malunga nale nto, andiyi kuhlala kule nkcukacha. Ingxaki kukuba ungasebenzisa i-RBAC ukukhawulela amalungelo omsebenzisi, kodwa uKubernetes akazi nto ngabasebenzisi. Kuyavela ukuba sifuna indlela yokuhanjiswa komsebenzisi kwi-Kubernetes. Ukwenza oku, siya kongeza umnikezeli kwi-Kuberntes OpenID, eya kuthi loo msebenzisi ukhona ngokwenene, kwaye uKubernetes ngokwakhe uya kumnika amalungelo.
Ukulungiselela
- Uya kufuna iqela leKubernetes okanye i-minikube
- Active Directory
- Imimandla:
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org - Isatifikethi semimandla okanye isatifikethi esizisayinileyo
Andizukuhlala kwindlela yokwenza isatifikethi esizityikitye ngokwakho, kufuneka wenze izatifikethi ezi-2, le yingcambu (iGunya leSatifikethi) kunye nomxhasi wekhadi lasendle kwisizinda se *.example.org
Emva kokuba ufumene / ukhuphe izatifikethi, umxhasi kufuneka wongezwe kwi-Kubernetes, kuba oku senza imfihlo kuyo:
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pemOkulandelayo, siya kuyisebenzisa kumlawuli wethu we-Ingress.
Ufakelo lwe-keycloak
Ndagqiba kwelokuba eyona ndlela ilula kukusebenzisa izisombululo esele zilungisiwe kule nto, ezizezi iitshathi zehelm.
Faka indawo yokugcina kwaye uyihlaziye:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo updateYenza ifayile ye-keycloak.yml enomxholo olandelayo:
isitshixo.yml
keycloak:
# Имя администратора
username: "test_admin"
# Пароль администратор
password: "admin"
# Эти флаги нужны что бы позволить загружать в Keycloak скрипты прямо через web морду. Это нам
понадобиться что бы починить один баг, о котором ниже.
extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
# Включаем ingress, указываем имя хоста и сертификат который мы предварительно сохранили в secrets
ingress:
enabled: true
path: /
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.example.org
tls:
- hosts:
- keycloak.example.org
secretName: tls-keycloak
# Keycloak для своей работы требует базу данных, в тестовых целях я разворачиваю Postgresql прямо в Kuberntes, в продакшене так лучше не делать!
persistence:
deployPostgres: true
dbVendor: postgres
postgresql:
postgresUser: keycloak
postgresPassword: ""
postgresDatabase: keycloak
persistence:
enabled: trueUkusekwa komanyano
Okulandelayo, yiya kujongano lwewebhu
Cofa kwikona yasekhohlo Yongeza indawo
isitshixo
ixabiso
igama
Kubernetes
Igama elibonisiwe
Kubernetes
Khubaza ukuqinisekiswa kwe-imeyile yomsebenzisi:
Imida yabaxumi —> I-imeyile —> IiMaphu —> I-imeyile iqinisekisiwe (Cima)
Siseta i-federation yokungenisa abasebenzisi kwi-ActiveDirectory, ndiya kushiya izikrini ezingezantsi, ndicinga ukuba kuya kucaca ngakumbi.
Umanyano lwabasebenzisi —> Yongeza umboneleli… —> ldap
Ukusekwa komanyano
Ukuba konke kulungile, emva kokucofa iqhosha Ngqamanisa bonke abasebenzisi uya kubona umyalezo malunga nokungenisa ngempumelelo kwabasebenzisi.
Okulandelayo kufuneka senze imephu yamaqela ethu
Umanyano lwabasebenzisi --> ldap_localhost --> Iimephu -> Yenza
Ukwenza umephu
Ukuseta umxumi
Kuyimfuneko ukudala umxhasi, ngokwemiqathango ye-Keycloak, esi sisicelo esiya kugunyaziswa kuye. Ndiza kugxininisa amanqaku abalulekileyo kwi-screenshot ebomvu.
Abathengi —> Yila
Ukuseta umxumi
Masidale i-scoupe yamaqela:
Imida yoMxumi —> Yenza
Yenza umda
Kwaye ubamisele imaphu:
Imida yabaThengi —> amaqela —> IiMaphu —> Yenza
Imephu
Yongeza imephu yamaqela ethu kwiMida yoMxumi oMiselweyo:
Abathengi —> kubernetes —> Imida yabaThengi —> ImiSebenzi yoMxumi eMiselweyo
Khetha amaqela в Imida yoMxumi ekhoyo, cinezela Yongeza ekhethiweyo
Sifumana imfihlo (kwaye siyibhale kumsonto) esiya kuyisebenzisa ukugunyazisa kwi-Keycloak:
Abathengi —> kubernetes —> Iziqinisekiso —> Imfihlo
Oku kugqiba ukuseta, kodwa ndibe nempazamo xa, emva kogunyaziso oluyimpumelelo, ndifumene impazamo 403. .
Lungisa:
Imida yabaThengi —> iindima —> IiMaphu —> Yila
Imephu
Ikhowudi yeskripthi
// add current client-id to token audience
token.addAudience(token.getIssuedFor());
// return token issuer as dummy result assigned to iss again
token.getIssuer();
Ukuqwalasela iKubernetes
Sidinga ukucacisa apho isiqinisekiso sethu sengcambu esivela kwindawo silele, kwaye apho umboneleli we-OIDC ukhona.
Ukwenza oku, hlela ifayile /etc/kubernetes/manifests/kube-apiserver.yaml
kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Hlaziya uqwalaselo lwe-kubeadm kwiqela:
kubeadmconfig
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
ukuseta i-auth-proxy
Unokusebenzisa umgcini-sango we-keycloak ukukhusela usetyenziso lwakho lwewebhu. Ukongeza kwinto yokuba le proxy ebuyela umva iya kugunyazisa umsebenzisi phambi kokubonisa iphepha, iya kuphinda idlulise ulwazi malunga nawe kwisicelo sokugqibela kwizihloko. Ke, ukuba isicelo sakho siyayixhasa i-OpenID, ngoko ke umsebenzisi ugunyaziswe ngoko nangoko. Cinga ngomzekelo weKubernetes Dashboard
Kufakelwa iKubernetes Dashboard
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml
values_dashboard.yaml
enableInsecureLogin: true
service:
externalPort: 80
rbac:
clusterAdminRole: true
create: true
serviceAccount:
create: true
name: 'dashboard-test'
Ukumisela iimvume:
Masenze i-ClusterRoleBinding eya kunika amalungelo olawulo lwe-cluster (standard ClusterRole cluster-admin) kubasebenzisi abakwiqela leDathaOPS.
kubectl apply -f rbac.yaml
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dataops_group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: DataOPS
Faka umgcini-sango wesitshixo:
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml
values_proxy.yaml
# Включаем ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
path: /
hosts:
- kubernetes-dashboard.example.org
tls:
- secretName: tls-keycloak
hosts:
- kubernetes-dashboard.example.org
# Говорим где мы будем авторизовываться у OIDC провайдера
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# Имя клиента которого мы создали в Keycloak
ClientID: "kubernetes"
# Secret который я просил записать
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Куда перенаправить в случае успешной авторизации. Формат <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# Пропускаем проверку сертификата, если у нас самоподписанный
skipOpenidProviderTlsVerify: true
# Настройка прав доступа, пускаем на все path если мы в группе DataOPS
rules:
- "uri=/*|groups=DataOPS"
Emva koko, xa uzama ukuya ku , siya kuthunyelwa kwi-Keycloak kwaye kwimeko yogunyaziso oluyimpumelelo siya kufika kwiDashboard esele ingenile.
ukufakwa gangway
Ukwenzela lula, unokongeza i-gangway eya kuvelisa ifayile yoqwalaselo ye-kubectl, ngoncedo esiya kungena kuyo Kubernetes phantsi komsebenzisi wethu.
helm install --name gangway stable/gangway -f values_gangway.yaml
values_gangway.yaml
gangway:
# Произвольное имя кластера
clusterName: "my-k8s"
# Где у нас OIDC провайдер
authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
# Теоритически сюда можно добавить groups которые мы замапили
scopes: ["openid", "profile", "email", "offline_access"]
redirectURL: "https://gangway.example.org/callback"
# Имя клиента
clientID: "kubernetes"
# Секрет
clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Если оставить дефолтное значние, то за имя пользователя будет братья <b>Frist name</b> <b>Second name</b>, а при "sub" его логин
usernameClaim: "sub"
# Доменное имя или IP адресс API сервера
apiServerURL: "https://192.168.99.111:8443"
# Включаем Ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
path: /
hosts:
- gangway.example.org
tls:
- secretName: tls-keycloak
hosts:
- gangway.example.org
# Если используем самоподписанный сертификат, то его(открытый корневой сертификат) надо указать.
trustedCACert: |-
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
-----END CERTIFICATE-----
Ijongeka ngolu hlobo. Ikuvumela ukuba ukhuphele kwangoko ifayile yoqwalaselo kwaye uyivelise usebenzisa iseti yemiyalelo:
umthombo: www.habr.com