ProHoster > Блог > Isakoso > Jẹri ni Kubernetes ni lilo GitHub OAuth ati Dex

Jẹri ni Kubernetes ni lilo GitHub OAuth ati Dex

Mo ṣafihan ikẹkọ kan si akiyesi rẹ fun ṣiṣẹda iraye si iṣupọ Kubernetes nipa lilo Dex, dex-k8s-authenticator ati GitHub.

Jẹri ni Kubernetes ni lilo GitHub OAuth ati Dex
Meme agbegbe lati Kubernetes-ede Rọsia iwiregbe ni Telegram

Ifihan

A lo Kubernetes lati ṣẹda awọn agbegbe ti o ni agbara fun idagbasoke ati ẹgbẹ QA. Nitorinaa a fẹ lati fun wọn ni iraye si iṣupọ fun dasibodu mejeeji ati kubectl. Ko dabi OpenShift, vanilla Kubernetes ko ni ijẹrisi abinibi, nitorinaa a lo awọn irinṣẹ ẹnikẹta fun eyi.

Ninu iṣeto yii a lo:

  • dex-k8s-ododo  - ohun elo wẹẹbu fun ti ipilẹṣẹ kubectl konfigi
  • dex - OpenID So olupese
  • GitHub - nìkan nitori a lo GitHub ni ile-iṣẹ wa

A gbiyanju lati lo Google OIDC, sugbon laanu a kuna lati bẹrẹ wọn pẹlu awọn ẹgbẹ, nitorina isọdọkan pẹlu GitHub baamu wa daradara. Laisi aworan agbaye, kii yoo ṣee ṣe lati ṣẹda awọn ilana RBAC ti o da lori awọn ẹgbẹ.

Nitorinaa, bawo ni ilana aṣẹ Kubernetes wa ṣe n ṣiṣẹ ni aṣoju wiwo:

Jẹri ni Kubernetes ni lilo GitHub OAuth ati Dex
Ilana aṣẹ

Awọn alaye diẹ sii ati aaye nipasẹ aaye:

  1. Olumulo wọle sinu dex-k8s-authenticator (login.k8s.example.com)
  2. dex-k8s-authenticator dari ibeere naa si Dex (dex.k8s.example.com)
  3. Dex àtúnjúwe si GitHub oju-iwe wiwọle
  4. GitHub ṣe ipilẹṣẹ alaye aṣẹ pataki ati da pada si Dex
  5. Dex kọja alaye ti o gba si dex-k8s-authenticator
  6. Olumulo gba aami OIDC lati GitHub
  7. dex-k8s-authenticator afikun àmi to kubeconfig
  8. kubectl kọja ami si KubeAPIServer
  9. KubeAPIServer pada awọn iraye si kubectl da lori ami ti o kọja
  10. Olumulo n wọle lati kubectl

Awọn iṣe igbaradi

Nitoribẹẹ, a ti fi iṣupọ Kubernetes tẹlẹ sori ẹrọ (k8s.example.com), ati pe o tun wa pẹlu HELM ti a ti fi sii tẹlẹ. A tun ni agbari lori GitHub (super-org).
Ti o ko ba ni HELM, fi sii irorun.

Ni akọkọ a nilo lati ṣeto GitHub.

Lọ si oju-iwe eto eto, (https://github.com/organizations/super-org/settings/applications) ati ṣẹda ohun elo tuntun (Aṣẹ OAuth App):
Jẹri ni Kubernetes ni lilo GitHub OAuth ati Dex
Ṣiṣẹda ohun elo tuntun lori GitHub

Fọwọsi awọn aaye pẹlu awọn URL pataki, fun apẹẹrẹ:

  • URL oju-iwe akọkọ: https://dex.k8s.example.com
  • URL ipe pada fun aṣẹ: https://dex.k8s.example.com/callback

Ṣọra pẹlu awọn ọna asopọ, o ṣe pataki lati ma padanu awọn slashes.

Ni idahun si fọọmu ti o pari, GitHub yoo ṣe ipilẹṣẹ Client ID и Client secret, pa wọn mọ ni ibi aabo, wọn yoo wulo fun wa (fun apẹẹrẹ, a lo Ile ifinkan pamo fun titoju awọn asiri):

Client ID: 1ab2c3d4e5f6g7h8
Client secret: 98z76y54x32w1

Mura awọn igbasilẹ DNS fun awọn subdomains login.k8s.example.com и dex.k8s.example.com, bakanna bi awọn iwe-ẹri SSL fun ingress.

Jẹ ki a ṣẹda awọn iwe-ẹri SSL:

cat <<EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-auth-dex
  namespace: kube-system
spec:
  secretName: cert-auth-dex
  dnsNames:
    - dex.k8s.example.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - dex.k8s.example.com
  issuerRef:
    name: le-clusterissuer
    kind: ClusterIssuer
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-auth-login
  namespace: kube-system
spec:
  secretName: cert-auth-login
  dnsNames:
    - login.k8s.example.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - login.k8s.example.com
  issuerRef:
    name: le-clusterissuer
    kind: ClusterIssuer
EOF
kubectl describe certificates cert-auth-dex -n kube-system
kubectl describe certificates cert-auth-login -n kube-system

Cluster Olufunni pẹlu akọle le-clusterissuer yẹ ki o wa tẹlẹ, ṣugbọn ti kii ba ṣe bẹ, ṣẹda rẹ nipa lilo HELM:

helm install --namespace kube-system -n cert-manager stable/cert-manager
cat << EOF | kubectl create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: le-clusterissuer
  namespace: kube-system
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: le-clusterissuer
    http01: {}
EOF

KubeAPIServer iṣeto ni

Fun kubeAPIServer lati ṣiṣẹ, o nilo lati tunto OIDC ki o ṣe imudojuiwọn iṣupọ naa:

kops edit cluster
...
  kubeAPIServer:
    anonymousAuth: false
    authorizationMode: RBAC
    oidcClientID: dex-k8s-authenticator
    oidcGroupsClaim: groups
    oidcIssuerURL: https://dex.k8s.example.com/
    oidcUsernameClaim: email
kops update cluster --yes
kops rolling-update cluster --yes

A lo kops fun imuṣiṣẹ awọn iṣupọ, sugbon yi ṣiṣẹ bakanna fun miiran iṣupọ alakoso.

Dex iṣeto ni ati dex-k8s-authenticator

Fun Dex lati ṣiṣẹ, o nilo lati ni ijẹrisi ati bọtini kan lati ọdọ Kubernetes titunto si, jẹ ki a gba lati ibẹ:

sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----

Jẹ ki a ṣe ẹda ibi ipamọ dex-k8s-authenticator:

git clone [email protected]:mintel/dex-k8s-authenticator.git
cd dex-k8s-authenticator/

Lilo awọn faili iye, a le ni irọrun tunto awọn oniyipada fun wa Awọn aworan atọka HELM.

Jẹ ki a ṣe apejuwe iṣeto ni fun Dex:

cat << EOF > values-dex.yml
global:
  deployEnv: prod
tls:
  certificate: |-
    -----BEGIN CERTIFICATE-----
    AAAAAAAAAAABBBBBBBBBBCCCCCC
    -----END CERTIFICATE-----
  key: |-
    -----BEGIN RSA PRIVATE KEY-----
    DDDDDDDDDDDEEEEEEEEEEFFFFFF
    -----END RSA PRIVATE KEY-----
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
  path: /
  hosts:
    - dex.k8s.example.com
  tls:
    - secretName: cert-auth-dex
      hosts:
        - dex.k8s.example.com
serviceAccount:
  create: true
  name: dex-auth-sa
config: |
  issuer: https://dex.k8s.example.com/
  storage: # https://github.com/dexidp/dex/issues/798
    type: sqlite3
    config:
      file: /var/dex.db
  web:
    http: 0.0.0.0:5556
  frontend:
    theme: "coreos"
    issuer: "Example Co"
    issuerUrl: "https://example.com"
    logoUrl: https://example.com/images/logo-250x25.png
  expiry:
    signingKeys: "6h"
    idTokens: "24h"
  logger:
    level: debug
    format: json
  oauth2:
    responseTypes: ["code", "token", "id_token"]
    skipApprovalScreen: true
  connectors:
  - type: github
    id: github
    name: GitHub
    config:
      clientID: $GITHUB_CLIENT_ID
      clientSecret: $GITHUB_CLIENT_SECRET
      redirectURI: https://dex.k8s.example.com/callback
      orgs:
      - name: super-org
        teams:
        - team-red
  staticClients:
  - id: dex-k8s-authenticator
    name: dex-k8s-authenticator
    secret: generatedLongRandomPhrase
    redirectURIs:
      - https://login.k8s.example.com/callback/
envSecrets:
  GITHUB_CLIENT_ID: "1ab2c3d4e5f6g7h8"
  GITHUB_CLIENT_SECRET: "98z76y54x32w1"
EOF

Ati fun dex-k8s-authenticator:

cat << EOF > values-auth.yml
global:
  deployEnv: prod
dexK8sAuthenticator:
  clusters:
  - name: k8s.example.com
    short_description: "k8s cluster"
    description: "Kubernetes cluster"
    issuer: https://dex.k8s.example.com/
    k8s_master_uri: https://api.k8s.example.com
    client_id: dex-k8s-authenticator
    client_secret: generatedLongRandomPhrase
    redirect_uri: https://login.k8s.example.com/callback/
    k8s_ca_pem: |
      -----BEGIN CERTIFICATE-----
      AAAAAAAAAAABBBBBBBBBBCCCCCC
      -----END CERTIFICATE-----
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
  path: /
  hosts:
    - login.k8s.example.com
  tls:
    - secretName: cert-auth-login
      hosts:
        - login.k8s.example.com
EOF

Fi Dex sori ẹrọ ati dex-k8s-authenticator:

helm install -n dex --namespace kube-system --values values-dex.yml charts/dex
helm install -n dex-auth --namespace kube-system --values values-auth.yml charts/dex-k8s-authenticator

Jẹ ki a ṣayẹwo iṣẹ ṣiṣe ti awọn iṣẹ naa (Dex yẹ ki o da koodu 400 pada, ati dex-k8s-authenticator yẹ ki o da koodu 200 pada):

curl -sI https://dex.k8s.example.com/callback | head -1
HTTP/2 400
curl -sI https://login.k8s.example.com/ | head -1
HTTP/2 200

RBAC iṣeto ni

A ṣẹda ClusterRole kan fun ẹgbẹ, ninu ọran wa pẹlu iraye si kika-nikan:

cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-read-all
rules:
  -
    apiGroups:
      - ""
      - apps
      - autoscaling
      - batch
      - extensions
      - policy
      - rbac.authorization.k8s.io
      - storage.k8s.io
    resources:
      - componentstatuses
      - configmaps
      - cronjobs
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingress
      - ingresses
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - pods/log
      - pods/exec
      - persistentvolumes
      - persistentvolumeclaims
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
      - statefulsets
      - storageclasses
      - clusterroles
      - roles
    verbs:
      - get
      - watch
      - list
  - nonResourceURLs: ["*"]
    verbs:
      - get
      - watch
      - list
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
EOF

Jẹ ki a ṣẹda iṣeto kan fun ClusterRoleBinding:

cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: dex-cluster-auth
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-read-all
subjects:
  kind: Group
  name: "super-org:team-red"
EOF

Bayi a ti ṣetan fun idanwo.

Awọn idanwo

Lọ si oju-iwe iwọle (https://login.k8s.example.com) ati buwolu wọle nipa lilo akọọlẹ GitHub rẹ:

Jẹri ni Kubernetes ni lilo GitHub OAuth ati Dex
Oju-iwe wiwọle

Jẹri ni Kubernetes ni lilo GitHub OAuth ati Dex
Oju-iwe iwọle ti darí si GitHub

Jẹri ni Kubernetes ni lilo GitHub OAuth ati Dex
 Tẹle awọn ilana ti ipilẹṣẹ lati jèrè wiwọle

Lẹhin ti daakọ-sọ lati oju-iwe wẹẹbu, a le lo kubectl lati ṣakoso awọn orisun iṣupọ wa:

kubectl get po
NAME                READY   STATUS    RESTARTS   AGE
mypod               1/1     Running   0          3d

kubectl delete po mypod
Error from server (Forbidden): pods "mypod" is forbidden: User "[email protected]" cannot delete pods in the namespace "default"

Ati pe o ṣiṣẹ, gbogbo awọn olumulo GitHub ninu agbari wa le rii awọn orisun ati wọle sinu awọn adarọ-ese, ṣugbọn wọn ko ni awọn ẹtọ lati yi wọn pada.

orisun: www.habr.com

Fi ọrọìwòye kun