Isifundo esincane sokuthi ungasebenzisa kanjani i-Keycloak ukuxhuma i-Kubernetes kuseva yakho ye-LDAP futhi usethe ukungeniswa kwabasebenzisi namaqembu. Lokhu kuzokuvumela ukuthi usethe i-RBAC yabasebenzisi bakho futhi usebenzise i-auth-proxy ukuze uvikele Ideshibhodi ye-Kubernetes nezinye izinhlelo zokusebenza ezingakwazi ukuzigunyaza ngokwazo.
Ukufakwa Kwekhilokhi
Ake sicabange ukuthi usunayo kakade iseva ye-LDAP. Kungaba yi-Active Directory, FreeIPA, OpenLDAP noma yini. Uma ungenayo iseva ye-LDAP, khona-ke ngokomgomo ungakha abasebenzisi ngokuqondile ku-interface ye-Keycloak, noma usebenzise abahlinzeki be-oidc basesidlangalaleni (i-Google, i-Github, i-Gitlab), umphumela uzocishe ufane.
Okokuqala, ake sifake i-Keycloak ngokwayo, ukufakwa kungenziwa ngokwehlukana, noma ngokuqondile ku-cluster ye-Kubernetes, njengomthetho, uma unamaqoqo amaningana e-Kubernetes, kungaba lula ukuyifaka ngokwehlukana. Ngakolunye uhlangothi, ungasebenzisa njalo
Ukuze ugcine idatha ye-Keycloak, uzodinga isizindalwazi. Okuzenzakalelayo ngu h2
(yonke idatha igcinwa endaweni), kodwa futhi ingasetshenziswa postgres
, mysql
noma mariadb
.
Uma usanquma ukufaka i-Keycloak ngokuhlukana, ungathola imiyalo enemininingwane eyengeziwe ku
Ukusethwa kwenhlangano
Okokuqala, masidale indawo entsha. I-Realm iyisikhala sohlelo lwethu lokusebenza. Uhlelo lokusebenza ngalunye lungaba nombuso walo onabasebenzisi abahlukene nezilungiselelo zokugunyazwa. Indawo eyinhloko isetshenziswa yi-Keycloak ngokwayo futhi ukuyisebenzisela noma yini enye akulungile.
Phusha Engeza umbuso
Option
Value
Igama
kubernetes
Bonisa igama
Kubernetes
Igama lokubonisa le-HTML
<img src="https://kubernetes.io/images/nav_logo.svg" width="400" >
I-Kubernetes ihlola ngokuzenzakalelayo ukuthi i-imeyili yomsebenzisi iqinisekisiwe noma cha. Njengoba sisebenzisa iseva yethu ye-LDAP, leli sheke cishe lizobuya njalo false
. Masikhubaze ukumelwa kwalesi silungiselelo ku-Kubernetes:
Izikophu zeklayenti -> imeyili -> Amamephu -> i-imeyili iqinisekisiwe (Susa)
Manje ake simise umfelandawonye, ββkulokhu siya ku:
Umfelandawonye wabasebenzisi -> Engeza umhlinzeki... -> ldap
Nasi isibonelo sokusetha i-FreeIPA:
Option
Value
Igama lokubonisa ikhonsoli
freeipa.example.org
Umthengisi
Red Hat Directory Server
Isibaluli se-UUID LDAP
ipauniqueid
I-URL yokuxhumana
ldaps://freeipa.example.org
Umsebenzisi we-DN
cn=users,cn=accounts,dc=example,dc=org
Hlanganisa i-DN
uid=keycloak-svc,cn=users,cn=accounts,dc=example,dc=org
Hlanganisa Ukuqinisekisa
<password>
Vumela ukuqinisekiswa kwe-Kerberos:
on
Indawo yase-Kerberos:
EXAMPLE.ORG
Uthishanhloko Weseva:
HTTP/[email protected]
ithebhu yokhiye:
/etc/krb5.keytab
Umsebenzisi keycloak-svc
kufanele idalwe kusenesikhathi kuseva yethu ye-LDAP.
Esimeni se-Active Directory, mane ukhethe Umthengisi: Uhla lwemibhalo olusebenzayo futhi izilungiselelo ezidingekayo zizofakwa efomini ngokuzenzakalelayo.
Phusha Londoloza
Manje ake siqhubeke:
Umfelandawonye wabasebenzisi -> freeipa.example.org -> Amamephu -> Igama
Option
Value
Izimfanelo ze-LDap
givenName
Manje vula imephu yeqembu:
Umfelandawonye wabasebenzisi -> freeipa.example.org -> Amamephu -> Dala
Option
Value
Igama
groups
Uhlobo lwemephu
group-ldap-mapper
Amaqembu e-LDAP DN
cn=groups,cn=accounts,dc=example,dc=org
Isu Lokuthola Iqembu Lomsebenzisi
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
Lokhu kuqeda ukusethwa kwenhlangano, asiqhubekele ekusetheni iklayenti.
Ukusethwa kweklayenti
Masidale iklayenti elisha (uhlelo lokusebenza oluzothola abasebenzisi ku-Keycloak). Asambe:
amaklayenti -> Dala
Option
Value
I-ID yeklayenti
kubernetes
Uhlobo Lokufinyelela
confidenrial
I-URL yomsuka
http://kubernetes.example.org/
Ukuqondisa Kabusha URIs
http://kubernetes.example.org/*
I-URL yomqondisi
http://kubernetes.example.org/
Sizophinda sidale isikophu samaqembu:
Izikophu zeklayenti -> Dala
Option
Value
Isifanekiso
No template
Igama
groups
Umzila weqembu ogcwele
false
Futhi ubabekele umephu:
Izikophu zeklayenti -> Amaqembu -> Amamephu -> Dala
Option
Value
Igama
groups
Uhlobo lwemephu
Group membership
Igama lesimangalo sethokheni
groups
Manje sidinga ukunika amandla ukumepha kweqembu kububanzi beklayenti lethu:
amaklayenti -> Kubernetes -> Izikophu zeklayenti -> I-Default Client Scopes
Khetha Amaqembu Π² Izikophu Zeklayenti Ezitholakalayo, cindezela Engeza okukhethiwe
Manje ake simise ukuqinisekiswa kwesicelo sethu, iya ku:
amaklayenti -> Kubernetes
Option
Value
Ukugunyaza Kunikwe amandla
ON
Asiphushe londoloza futhi lokhu kuqeda ukusetha kweklayenti, manje kuthebhu
amaklayenti -> Kubernetes -> Ukuqinisekisa kwe
ungathola secret esizokusebenzisa kamuva.
Ilungiselela i-Kubernetes
Ukusetha i-Kubernetes yokugunyazwa kwe-OIDC kuyinto encane futhi akuyona into eyinkimbinkimbi kakhulu. Odinga ukukwenza ukufaka isitifiketi se-CA seseva yakho ye-OIDC kukho /etc/kubernetes/pki/oidc-ca.pem
bese wengeza izinketho ezidingekayo ze-kube-apiserver.
Ukuze wenze lokhu, buyekeza /etc/kubernetes/manifests/kube-apiserver.yaml
kuwo wonke amakhosi akho:
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.pem
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Futhi ubuyekeze ukucushwa kwe-kubeadm kuqoqo ukuze ungalahlekelwa yilezi zilungiselelo ngesikhathi sokubuyekeza:
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /etc/kubernetes/pki/oidc-ca.pem
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Lokhu kuqeda ukusethwa kwe-Kubernetes. Ungaphinda lezi zinyathelo kuwo wonke amaqoqo akho e-Kubernetes.
Ukugunyazwa Kwasekuqaleni
Ngemva kwalezi zinyathelo, uzobe usunayo iqoqo le-Kubernetes ngokugunyazwa kwe-OIDC okulungisiwe. Iphuzu kuphela ukuthi abasebenzisi bakho abakabi nalo iklayenti elimisiwe, kanye ne-kubeconfig yabo. Ukuze uxazulule le nkinga, udinga ukulungisa ukukhishwa okuzenzakalelayo kwe-kubeconfig kubasebenzisi ngemuva kokugunyazwa ngempumelelo.
Ukwenza lokhu, ungasebenzisa izinhlelo zokusebenza zewebhu ezikhethekile ezikuvumela ukuthi uqinisekise umsebenzisi bese ulanda i-kubeconfig eqediwe. Enye elula kakhulu
Ukuze ulungiselele i-Kuberos, kwanele ukuchaza ithempulethi ye-kubeconfig bese uyiqhuba ngamapharamitha alandelayo:
kuberos https://keycloak.example.org/auth/realms/kubernetes kubernetes /cfg/secret /cfg/template
Ukuze uthole imininingwane eyengeziwe bheka
Kungenzeka futhi ukusebenzisa
Umphumela we-kubeconfig ungahlolwa esizeni users[].user.auth-provider.config.id-token
kusuka ku-kubeconfig yakho kuya efomini esizeni bese uthola okulotshiweyo ngaso leso sikhathi.
Ukusethwa kwe-RBAC
Lapho ulungiselela i-RBAC, ungabhekisela kukho kokubili igama lomsebenzisi (inkambu name
kuthokheni ye-jwt) kanye neqembu labasebenzisi (insimu groups
kuthokheni ye-jwt). Nasi isibonelo sokusetha izimvume zeqembu kubernetes-default-namespace-admins
:
kubernetes-default-namespace-admins.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-admins
namespace: default
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-default-namespace-admins
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-admins
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: kubernetes-default-namespace-admins
Izibonelo ezengeziwe ze-RBAC zingatholakala ku
Ukusetha ummeleli we-auth
Kukhona iphrojekthi emangalisayo
ideshibhodi-ummeleli.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard-proxy
spec:
replicas: 1
template:
metadata:
labels:
app: kubernetes-dashboard-proxy
spec:
containers:
- args:
- --listen=0.0.0.0:80
- --discovery-url=https://keycloak.example.org/auth/realms/kubernetes
- --client-id=kubernetes
- --client-secret=<your-client-secret-here>
- --redirection-url=https://kubernetes-dashboard.example.org
- --enable-refresh-tokens=true
- --encryption-key=ooTh6Chei1eefooyovai5ohwienuquoh
- --upstream-url=https://kubernetes-dashboard.kube-system
- --resources=uri=/*
image: keycloak/keycloak-gatekeeper
name: kubernetes-dashboard-proxy
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
readinessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-proxy
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: kubernetes-dashboard-proxy
type: ClusterIP
Source: www.habr.com