ProHoster > Блог > Isakoso > A di ActiveDirectory ašẹ si Kubernetes nipa lilo Keycloak

A di ActiveDirectory ašẹ si Kubernetes nipa lilo Keycloak

A ti kọ nkan yii lati faagun tẹlẹ tẹlẹ, ṣugbọn sọrọ nipa awọn ẹya ti lapapo pẹlu Microsoft ActiveDirectory, ati pe o tun ṣe afikun rẹ.

Ninu nkan yii Emi yoo sọ fun ọ bi o ṣe le fi sori ẹrọ ati tunto:

  • Aṣọ bọtini jẹ ẹya-ìmọ orisun ise agbese. Eyi ti o pese aaye kan ti titẹsi fun awọn ohun elo. Ṣiṣẹ pẹlu ọpọlọpọ awọn ilana, pẹlu LDAP ati OpenID eyiti a nifẹ si.
  • keycloak adena - ohun elo aṣoju yiyipada ti o fun ọ laaye lati ṣepọ aṣẹ nipasẹ Keycloak.
  • gangway - ohun elo ti o ṣe agbekalẹ atunto kan fun kubectl pẹlu eyiti o le wọle ati sopọ si Kubernetes API nipasẹ OpenID.

Bawo ni awọn igbanilaaye ṣiṣẹ ni Kubernetes.

A le ṣakoso olumulo / awọn ẹtọ ẹgbẹ ni lilo RBAC, ọpọlọpọ awọn nkan ti tẹlẹ ti ṣẹda nipa eyi, Emi kii yoo gbe lori eyi ni alaye. Iṣoro naa ni pe o le lo RBAC lati ni ihamọ awọn ẹtọ olumulo, ṣugbọn Kubernetes ko mọ ohunkohun nipa awọn olumulo. O wa ni jade pe a nilo ẹrọ ifijiṣẹ olumulo ni Kubernetes. Lati ṣe eyi, a yoo ṣafikun olupese kan si Kuberntes OpenID, eyiti yoo sọ pe iru olumulo kan wa gaan, ati Kubernetes funrararẹ yoo fun ni awọn ẹtọ.

Igbaradi

  • Iwọ yoo nilo iṣupọ Kubernetes tabi minikube kan
  • Iroyin Iroyin
  • Awọn ibugbe:
    keycloak.example.org
    kubernetes-dashboard.example.org
    gangway.apẹẹrẹ.org
  • Iwe-ẹri fun awọn ibugbe tabi iwe-ẹri ti ara ẹni

Emi kii yoo gbe lori bii o ṣe le ṣẹda ijẹrisi ti ara ẹni, o nilo lati ṣẹda awọn iwe-ẹri 2, eyi ni gbongbo (Alaṣẹ Iwe-ẹri) ati alabara wildcard fun aaye * .example.org

Lẹhin ti o gba / fifun awọn iwe-ẹri, alabara gbọdọ ṣafikun si Kubernetes, fun eyi a ṣẹda aṣiri fun rẹ:

kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pem

Nigbamii ti, a yoo lo fun oludari Ingress wa.

Fifi sori Keycloak

Mo pinnu pe ọna ti o rọrun julọ ni lati lo awọn solusan ti a ti ṣetan fun eyi, eyun awọn shatti Helm.

Fi ibi ipamọ sii ki o ṣe imudojuiwọn rẹ:

helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update

Ṣẹda faili keycloak.yml pẹlu akoonu atẹle:

keycloak.yml

keycloak:
  # Имя администратора
  username: "test_admin"
  # Пароль администратор  
  password: "admin"
  # Эти флаги нужны что бы позволить загружать в Keycloak скрипты прямо через web морду. Это нам 
  понадобиться что бы починить один баг, о котором ниже.
  extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled" 
  # Включаем ingress, указываем имя хоста и сертификат который мы предварительно сохранили в secrets
  ingress:
    enabled: true 
    path: /
    annotations:
      kubernetes.io/ingress.class: nginx
      ingress.kubernetes.io/affinity: cookie
    hosts:
      - keycloak.example.org
    tls:
    - hosts:
        - keycloak.example.org
      secretName: tls-keycloak
  # Keycloak для своей работы требует базу данных, в тестовых целях я разворачиваю Postgresql прямо в Kuberntes, в продакшене так лучше не делать!
  persistence:
    deployPostgres: true
    dbVendor: postgres

postgresql:
  postgresUser: keycloak
  postgresPassword: ""
  postgresDatabase: keycloak
  persistence:
    enabled: true

Iṣeto Federation

Nigbamii, lọ si wiwo wẹẹbu keycloak.example.org

Tẹ ni igun osi Fi ijọba kun

Key
iye

Name
kubernetes

Fi oruko han
Kubernetes

Pa ijẹrisi imeeli olumulo kuro:
Awọn aaye alabara -> Imeeli —> Awọn maapu —> Imeeli ti jẹri (Paarẹ)

A ṣeto federation lati gbe awọn olumulo wọle lati ActiveDirectory, Emi yoo fi awọn sikirinisoti silẹ ni isalẹ, Mo ro pe yoo jẹ kedere.

Ajọṣepọ olumulo —> Ṣafikun olupese… —> ldap

Iṣeto FederationA di ActiveDirectory ašẹ si Kubernetes nipa lilo Keycloak
A di ActiveDirectory ašẹ si Kubernetes nipa lilo Keycloak

Ti ohun gbogbo ba dara, lẹhinna lẹhin titẹ bọtini naa Mu gbogbo awọn olumulo ṣiṣẹpọ iwọ yoo rii ifiranṣẹ kan nipa agbewọle aṣeyọri ti awọn olumulo.

Nigbamii ti a nilo lati ya awọn ẹgbẹ wa

Ajọṣepọ olumulo --> ldap_localhost --> Awọn maapu --> Ṣẹda

Ṣiṣẹda mapperA di ActiveDirectory ašẹ si Kubernetes nipa lilo Keycloak

Eto onibara

O jẹ dandan lati ṣẹda alabara kan, ni awọn ofin ti Keycloak, eyi jẹ ohun elo ti yoo fun ni aṣẹ lati ọdọ rẹ. Emi yoo ṣe afihan awọn aaye pataki ni sikirinifoto ni pupa.

Awọn onibara -> Ṣẹda

Eto onibaraA di ActiveDirectory ašẹ si Kubernetes nipa lilo Keycloak

Jẹ ki a ṣẹda scoup fun awọn ẹgbẹ:

Awọn aaye alabara -> Ṣẹda

Ṣẹda dopinA di ActiveDirectory ašẹ si Kubernetes nipa lilo Keycloak

Ki o si ṣeto maapu kan fun wọn:

Awọn aaye Onibara —> awọn ẹgbẹ —> Awọn maapu —> Ṣẹda

MapperA di ActiveDirectory ašẹ si Kubernetes nipa lilo Keycloak

Ṣafikun aworan agbaye ti awọn ẹgbẹ wa si Awọn aaye Onibara Aiyipada:

Awọn onibara -> kubernetes -> Awọn aaye Onibara -> Awọn Iwọn Onibara Aiyipada
A yan awọn ẹgbẹ в Awọn aaye Onibara to wa, tẹ Ṣafikun ti o yan

A gba aṣiri naa (ki o kọ si okun) eyiti a yoo lo fun aṣẹ ni Keycloak:

Awọn onibara -> kubernetes -> Awọn iwe-ẹri -> Aṣiri
Eyi pari iṣeto naa, ṣugbọn Mo ni aṣiṣe nigbati, lẹhin aṣẹ aṣeyọri, Mo gba aṣiṣe 403 kan. Iroyin kokoro.

Ṣe atunṣe:

Awọn aaye Onibara —> awọn ipa —> Awọn maapu —> Ṣẹda

Awọn maapuA di ActiveDirectory ašẹ si Kubernetes nipa lilo Keycloak

koodu akosile

// add current client-id to token audience
token.addAudience(token.getIssuedFor());

// return token issuer as dummy result assigned to iss again
token.getIssuer();

Tito leto Kubernetes

A nilo lati pato ibi ti ijẹrisi gbongbo wa lati aaye naa wa, ati ibiti olupese OIDC wa.
Lati ṣe eyi, ṣatunkọ faili /etc/kubernetes/manifests/kube-apiserver.yaml

kube-apiserver.yaml


...
spec:
  containers:
  - command:
    - kube-apiserver
...
    - --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
    - --oidc-client-id=kubernetes
    - --oidc-groups-claim=groups
    - --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
    - --oidc-username-claim=email
...

Ṣe imudojuiwọn iṣeto kubeadm ninu iṣupọ:

kubeadmconfig

kubectl edit -n kube-system configmaps kubeadm-config


...
data:
  ClusterConfiguration: |
    apiServer:
      extraArgs:
        oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
        oidc-client-id: kubernetes
        oidc-groups-claim: groups
        oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
        oidc-username-claim: email
...

Ṣiṣeto aṣoju-aṣoju

O le lo aṣọ-ọna bọtini aṣọ-ọna lati daabobo ohun elo wẹẹbu rẹ. Ni afikun si otitọ pe aṣoju yiyipada yoo fun olumulo laṣẹ ṣaaju iṣafihan oju-iwe naa, yoo tun ṣe alaye nipa rẹ si ohun elo ipari ni awọn akọle. Nitorinaa, ti ohun elo rẹ ba ṣe atilẹyin OpenID, lẹhinna olumulo ti ni aṣẹ lẹsẹkẹsẹ. Gbé àpẹẹrẹ Kubernetes Dashboard yẹ̀ wò

Fifi Kubernetes Dasibodu


helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml

values_dashboard.yaml

enableInsecureLogin: true
service:
  externalPort: 80
rbac:
  clusterAdminRole: true
  create: true
serviceAccount:
  create: true
  name: 'dashboard-test'

Ṣiṣeto awọn ẹtọ wiwọle:

Jẹ ki a ṣẹda ClusterRoleBinding kan ti yoo fun awọn ẹtọ abojuto iṣupọ (abojuto iṣupọ ClusterRole boṣewa) fun awọn olumulo ninu ẹgbẹ DataOPS.


kubectl apply -f rbac.yaml

rbac.yaml


apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dataops_group
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: DataOPS

Fi sori ẹrọ oluṣọ ẹṣọ bọtini:


helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml

values_proxy.yaml



# Включаем ingress
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
  path: /
  hosts:
    - kubernetes-dashboard.example.org
  tls:
   - secretName: tls-keycloak
     hosts:
       - kubernetes-dashboard.example.org

# Говорим где мы будем авторизовываться у OIDC провайдера
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# Имя клиента которого мы создали в Keycloak
ClientID: "kubernetes"
# Secret который я просил записать
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Куда перенаправить в случае успешной авторизации. Формат <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# Пропускаем проверку сертификата, если у нас самоподписанный
skipOpenidProviderTlsVerify: true
# Настройка прав доступа, пускаем на все path если мы в группе DataOPS
rules:
  - "uri=/*|groups=DataOPS"

Lẹhin iyẹn, nigba ti o ba gbiyanju lati lọ si kubernetes-dashboard.example.org, a yoo darí si Keycloak ati ni irú ti aseyori ašẹ a yoo gba lati awọn Dashboard tẹlẹ ibuwolu wọle ni.

gangway fifi sori

Fun irọrun, o le ṣafikun gangway kan ti yoo ṣe agbekalẹ faili atunto kan fun kubectl, pẹlu iranlọwọ eyiti a yoo wọle sinu Kubernetes labẹ olumulo wa.


helm install --name gangway stable/gangway -f values_gangway.yaml

iye_gangway.yaml


gangway:
  # Произвольное имя кластера
  clusterName: "my-k8s"
  # Где у нас OIDC провайдер
  authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
  tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
  audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
  # Теоритически сюда можно добавить groups которые мы замапили
  scopes: ["openid", "profile", "email", "offline_access"]
  redirectURL: "https://gangway.example.org/callback"
  # Имя клиента
  clientID: "kubernetes"
  # Секрет
  clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
  # Если оставить дефолтное значние, то за имя пользователя будет братья <b>Frist name</b> <b>Second name</b>, а при "sub" его логин
  usernameClaim: "sub"
  # Доменное имя или IP адресс API сервера
  apiServerURL: "https://192.168.99.111:8443"

# Включаем Ingress
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
  path: /
  hosts:
  - gangway.example.org
  tls:
  - secretName: tls-keycloak
    hosts:
      - gangway.example.org

# Если используем самоподписанный сертификат, то его(открытый корневой сертификат) надо указать.
trustedCACert: |-
 -----BEGIN CERTIFICATE-----
 MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
 -----END CERTIFICATE-----

O dabi eyi. Gba ọ laaye lati ṣe igbasilẹ faili atunto lẹsẹkẹsẹ ki o ṣe ina rẹ nipa lilo ṣeto awọn aṣẹ:

A di ActiveDirectory ašẹ si Kubernetes nipa lilo Keycloak

orisun: www.habr.com

Fi ọrọìwòye kun