Lesi sihloko sibhalelwe ukunwetshwa kwesevele ikhona
Kulesi sihloko ngizokutshela indlela yokufaka nokulungisa:
- isigqoko sikakhiye iphrojekthi yomthombo ovulekile. Okunikeza iphuzu elilodwa lokungena lezicelo. Isebenza ngamaphrothokholi amaningi, okuhlanganisa i-LDAP ne-OpenID esiyithandayo.
- isikhiye sesango elingukhiye - Uhlelo lokusebenza lommeleli ohlanekezelwe olukuvumela ukuthi uhlanganise ukugunyazwa nge-Keycloak.
- igenge - uhlelo lokusebenza olukhiqiza ukucushwa kwe-kubectl ongangena ngakho futhi uxhume ku-Kubernetes API nge-OpenID.
Zisebenza kanjani izimvume ku-Kubernetes.
Singaphatha amalungelo abasebenzisi/iqembu sisebenzisa i-RBAC, inqwaba yezindatshana sezivele zidaliwe mayelana nalokhu, ngeke ngigxile kulokhu ngokuningiliziwe. Inkinga ukuthi ungasebenzisa i-RBAC ukukhawulela amalungelo abasebenzisi, kodwa u-Kubernetes akazi lutho ngabasebenzisi. Kuvele ukuthi sidinga indlela yokulethwa komsebenzisi ku-Kubernetes. Ukuze senze lokhu, sizofaka umhlinzeki ku-Kuberntes OpenID, okuzothi umsebenzisi onjalo ukhona ngempela, futhi u-Kubernetes ngokwakhe uzomnika amalungelo.
Training
- Uzodinga iqoqo le-Kubernetes noma i-minikube
- I-Active Directory
- Izizinda:
keycloak.example.org
kubernetes-dashboard.example.org
gangway.example.org - Isitifiketi sezizinda noma isitifiketi esizisayinele wena
Ngeke ngigxile ekutheni usenza kanjani isitifiketi esizisayinele, udinga ukwenza izitifiketi ezi-2, lena impande (Igunya Lesitifiketi) kanye neklayenti le-wildcard lesizinda se-*.example.org
Ngemuva kokuthola / ukukhipha izitifiketi, iklayenti kufanele lengezwe ku-Kubernetes, ngoba lokhu sidala imfihlo yalo:
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pem
Okulandelayo, sizoyisebenzisela isilawuli sethu se-Ingress.
Ukufakwa Kwekhilokhi
Nginqume ukuthi indlela elula ukusebenzisa izixazululo ezenziwe ngomumo zalokhu, okungukuthi amashadi e-helm.
Faka indawo yokugcina futhi uyibuyekeze:
helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update
Dala ifayela le-keycloak.yml ngokuqukethwe okulandelayo:
keycloak.yml
keycloak:
# Имя администратора
username: "test_admin"
# Пароль администратор
password: "admin"
# Эти флаги нужны что бы позволить загружать в Keycloak скрипты прямо через web морду. Это нам
понадобиться что бы починить один баг, о котором ниже.
extraArgs: "-Dkeycloak.profile.feature.script=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"
# Включаем ingress, указываем имя хоста и сертификат который мы предварительно сохранили в secrets
ingress:
enabled: true
path: /
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.example.org
tls:
- hosts:
- keycloak.example.org
secretName: tls-keycloak
# Keycloak для своей работы требует базу данных, в тестовых целях я разворачиваю Postgresql прямо в Kuberntes, в продакшене так лучше не делать!
persistence:
deployPostgres: true
dbVendor: postgres
postgresql:
postgresUser: keycloak
postgresPassword: ""
postgresDatabase: keycloak
persistence:
enabled: true
Ukusethwa kwenhlangano
Okulandelayo, iya kusixhumi esibonakalayo sewebhu
Chofoza ekhoneni elingakwesokunxele Engeza umbuso
Key
Value
Igama
Kubernetes
Bonisa igama
Kubernetes
Khubaza ukuqinisekiswa kwe-imeyili yomsebenzisi:
Ububanzi beklayenti —> I-imeyili —> Amamephu —> I-imeyili iqinisekisiwe (Susa)
Simise umfelandawonye ukuthi ungenise abasebenzisi be-ActiveDirectory, ngizoshiya izithombe-skrini ngezansi, ngicabanga ukuthi kuzocaca kakhudlwana.
Umfelandawonye wabasebenzisi —> Engeza umhlinzeki… —> ldap
Ukusethwa kwenhlangano
Uma konke kuhamba kahle, emva kokucindezela inkinobho Vumelanisa bonke abasebenzisi uzobona umlayezo mayelana nokungenisa ngempumelelo kwabasebenzisi.
Okulandelayo sidinga ukuhlela amaqembu ethu
Umfelandawonye wabasebenzisi --> ldap_localhost --> Amamephu --> Dala
Ukudala umephu
Ukusethwa kweklayenti
Kudingekile ukudala iklayenti, ngokwe-Keycloak, lesi isicelo esizogunyazwa kuye. Ngizogqamisa amaphuzu abalulekile kusithombe-skrini ngokubomvu.
Amaklayenti —> Dala
Ukusethwa kweklayenti
Masidale isikophu samaqembu:
Izikophu Zeklayenti —> Dala
Dala ububanzi
Futhi ubabekele umephu:
Ububanzi Beklayenti —> amaqembu —> Amamephu —> Dala
Imephu
Engeza imephu yamaqembu ethu ku-Default Client Scopes:
Amaklayenti —> kubernetes —> I-Client Scopes —> I-Default Client Scopes
Khetha Amaqembu в Izikophu Zeklayenti Ezitholakalayo, cindezela Engeza okukhethiwe
Sithola imfihlo (futhi siyibhale emculweni) esizoyisebenzisela ukugunyazwa ku-Keycloak:
Amaklayenti —> kubernetes —> Ukuqinisekisa —> Imfihlo
Lokhu kuqeda ukusetha, kodwa ngibe nephutha lapho, ngemva kokugunyazwa ngempumelelo, ngithola iphutha elingu-403.
Lungisa:
Ububanzi Beklayenti —> izindima —> Amamephu —> Dala
Imephu
Ikhodi yesikripthi
// add current client-id to token audience
token.addAudience(token.getIssuedFor());
// return token issuer as dummy result assigned to iss again
token.getIssuer();
Ilungiselela i-Kubernetes
Sidinga ukucacisa ukuthi isitifiketi sethu sempande esivela kusayithi sitholakala kuphi, nalapho umhlinzeki we-OIDC etholakala khona.
Ukuze wenze lokhu, hlela ifayela /etc/kubernetes/manifests/kube-apiserver.yaml
kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/var/lib/minikube/certs/My_Root.crt
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Buyekeza ukucushwa kwe-kubeadm kuqoqo:
kubeadmconfig
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /var/lib/minikube/certs/My_Root.crt
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Ukusetha ummeleli we-auth
Ungasebenzisa umlindi we-keycloak ukuvikela uhlelo lwakho lokusebenza lewebhu. Ngaphezu kweqiniso lokuthi lo mmeleli ohlanekezelwe uzogunyaza umsebenzisi ngaphambi kokubonisa ikhasi, uzophinde adlulisele ulwazi ngawe esiphethweni sohlelo lokusebenza enhlokweni. Ngakho, uma uhlelo lwakho lokusebenza lusekela i-OpenID, umsebenzisi ugunyazwa ngokushesha. Cabanga ngesibonelo se-Kubernetes Dashboard
Ifaka i-Kubernetes Dashboard
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml
values_dashboard.yaml
enableInsecureLogin: true
service:
externalPort: 80
rbac:
clusterAdminRole: true
create: true
serviceAccount:
create: true
name: 'dashboard-test'
Ukusetha amalungelo okufinyelela:
Masidale i-ClusterRoleBinding ezonikeza amalungelo omlawuli we-cluster (standard ClusterRole cluster-admin) kubasebenzisi beqembu le-DataOPS.
kubectl apply -f rbac.yaml
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dataops_group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: DataOPS
Faka umlindi wengubo yokhiye:
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm repo update
helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml
values_proxy.yaml
# Включаем ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
path: /
hosts:
- kubernetes-dashboard.example.org
tls:
- secretName: tls-keycloak
hosts:
- kubernetes-dashboard.example.org
# Говорим где мы будем авторизовываться у OIDC провайдера
discoveryURL: "https://keycloak.example.org/auth/realms/kubernetes"
# Имя клиента которого мы создали в Keycloak
ClientID: "kubernetes"
# Secret который я просил записать
ClientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Куда перенаправить в случае успешной авторизации. Формат <SCHEMA>://<SERVICE_NAME>.><NAMESAPCE>.<CLUSTER_NAME>
upstreamURL: "http://dashboard-kubernetes-dashboard.default.svc.cluster.local"
# Пропускаем проверку сертификата, если у нас самоподписанный
skipOpenidProviderTlsVerify: true
# Настройка прав доступа, пускаем на все path если мы в группе DataOPS
rules:
- "uri=/*|groups=DataOPS"
Ngemva kwalokho, lapho uzama ukuya ku
ukufakwa kwe-gangway
Ukuze kube lula, ungangeza i-gangway ezokhiqiza ifayela lokucushwa le-kubectl, ngosizo esizongena ngalo ku-Kubernetes ngaphansi komsebenzisi wethu.
helm install --name gangway stable/gangway -f values_gangway.yaml
values_gangway.yaml
gangway:
# Произвольное имя кластера
clusterName: "my-k8s"
# Где у нас OIDC провайдер
authorizeURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/auth"
tokenURL: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/token"
audience: "https://keycloak.example.org/auth/realms/kubernetes/protocol/openid-connect/userinfo"
# Теоритически сюда можно добавить groups которые мы замапили
scopes: ["openid", "profile", "email", "offline_access"]
redirectURL: "https://gangway.example.org/callback"
# Имя клиента
clientID: "kubernetes"
# Секрет
clientSecret: "c6ec03b8-d0b8-4cb6-97a0-03becba1d727"
# Если оставить дефолтное значние, то за имя пользователя будет братья <b>Frist name</b> <b>Second name</b>, а при "sub" его логин
usernameClaim: "sub"
# Доменное имя или IP адресс API сервера
apiServerURL: "https://192.168.99.111:8443"
# Включаем Ingress
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
path: /
hosts:
- gangway.example.org
tls:
- secretName: tls-keycloak
hosts:
- gangway.example.org
# Если используем самоподписанный сертификат, то его(открытый корневой сертификат) надо указать.
trustedCACert: |-
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwHhcNMjAwMjE0MDkxODAwWhcNMzAwMjE0MDkxODAwWjA1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRGF0YU9QUzEUMBIGA1UEAxMLbXkgcm9vdCBrZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyP749PqqIRwNSqaK6qr0Zsi03G4PTCUlgaYTPZuMrwUVPK8xX2dWWs9MPRMOdXpgr8aSTZnVfmelIlVz4D7o2vK5rfmAe9GPcK0WbwKwXyhFU0flS9sU/g46ogHFrk03SZxQAeJhMLfEmAJm8LF5HghtGDs3t4uwGsB95o+lqPLiBvxRB8ZS3jSpYpvPgXAuZWKdZUQ3UUZf0X3hGLp7uIcIwJ7i4MduOGaQEO4cePeEJy9aDAO6qV78YmHbyh9kaW+1DL/Sgq8NmTgHGV6UOnAPKHTnMKXl6KkyUz8uLBGIdVhPxrlzG1EzXresJbJenSZ+FZqm3oLqZbw54Yp5hAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHISTOU/6BQqqnOZj+1xJfxpjiG0MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAj7HC8ObibwOLT4ZYmISJZwub9lcE0AZ5cWkPW39j/syhdbbqjK/6jy2D3WUEbR+s1Vson5Ov7JhN5In2yfZ/ByDvBnoj7CP8Q/ZMjTJgwN7j0rgmEb3CTZvnDPAz8Ijw3FP0cjxfoZ1Z0V2F44Ry7gtLJWr06+MztXVyto3aIz1/XbMQnXYlzc3c3B5yUQIy44Ce5aLRVsAjmXNqVRmDJ2QPNLicvrhnUJsO0zFWI+zZ2hc4Ge1RotCrjfOc9hQY63jZJ17myCZ6QCD7yzMzAob4vrgmkD4q7tpGrhPY/gDcE+lUNhC7DO3l0oPy2wsnT2TEn87eyWmDiTFG9zWDew==
-----END CERTIFICATE-----
Kubukeka kanje. Ikuvumela ukuthi ulande ngokushesha ifayela lokumisa futhi ulikhiqize usebenzisa isethi yemiyalo:
Source: www.habr.com