kubernetes對接第三方認證
概述
本文介紹如何使用github賬戶去關聯自己kubernetes賬戶。達到如下效果:
- 使用github用戶email作爲kubernetes用戶,如[email protected]
- 創建對應的clusterrole綁定給[email protected]這個用戶
- 給fhtjob@hotmail這個用戶創建一個kubeconfig文件,讓改用戶可以使用kubectl命令操作集羣,且只有部分權限
<!--more-->
dex介紹
dex 是一個統一認證的服務,支持各種認證協議如Ouath2 ldap等,自己可以作爲一個identity provider,也可以連到別的id provider(如github)上,dex作爲一箇中間代理.
流程
http://47.52.197.163:5555 http://47.52.197.163:32000
人(瀏覽器) dex client dex server github kubectl kubernetes server
| login(scope) | | | | |
|------1-------->| | | | |
| |----------2------------->| | | |
| | |----------3----------->| | |
| | | id_token | | |
| | |<---------4------------| callback | |
| id_token |<----------5-------------|callback | | |
|<-------6-------| | | | |
| | | | id_token | |
|------------------------------------------------7-------------------------------------------->| id_token |
| | | | |----------8------------>|
| | | | | | valid?
| | | | | | expired?
| | | | | | user Authorized?
| | | | |<---------9-------------|
X<----------------------------------------------10---------------------------------------------| |
| | | | | |
| | | | | |
| | | | | |
- scope: 你需要哪些信息,如郵箱,openid,用戶名等
- id_token: 加密後的你需要的信息
- dex client: dex的客戶端,比如可以是我們自己寫的管理的服務端,會去調用第三方登錄的流程,或者我們寫的一個網站後臺處理登錄的邏輯
- dex server: dex的服務端,一邊作爲client的服務端,另一邊其實是github的客戶端
- 用戶在瀏覽器發起登錄請求
- dexclient把請求重定向給dexserver
- dexserver重定向給github,這時用戶就會跳轉到github的頁面去授權允許訪問哪些信息
- github把對應信息加密調用dexserver的回調url(http://47.52.197.163:32000/callback)把信息傳給dex server, 注意區分dex client的回調
- dexserver把信息回調給dex client(http://47.52.197.163:5555/callback)
- 瀏覽器中拿到token
- 把token加到kubeconfig文件中,讓kubectl可以使用
- kubectl把token傳給kubernetes server, server有 dex server的公鑰可以解析token,拿到username, 看是否過期,看授權是否允許執行該動作
- 把執行結果返回給kubectl
環境介紹與注意事項
- 採用雲服務器進行該實驗,Floatingip是47.52.197.163
- 你需要有一個github賬戶,我的是github.com/fanux 把email([email protected])作爲kubernetes賬戶
- 服務器上要裝golang
- 官方教程有很多坑,建議看我的教程
- 需要有個k8s集羣,那麼我最推薦的安裝方式當然是購買我的安裝包哈哈
安裝
修改kube apiserver配置
[root@master2 ~]# cat /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --oidc-issuer-url=https://47.52.197.163:32000 # 加上這五個參數
- --oidc-client-id=example-app
- --oidc-ca-file=/etc/kubernetes/ssl/ca.pem # dex證書,掛載進來的
- --oidc-username-claim=email
- --oidc-groups-claim=groups
...
- mountPath: /etc/kubernetes/ssl # 把dex的證書掛進去給apiserver使用
name: dex
readOnly: true
volumes:
- hostPath:
path: /etc/kubernetes/ssl
type: DirectoryOrCreate
name: dex
用kubeadm安裝的修改/etc/kubernetes/manifests/kube-apiserver.yaml這個文件即可,建議不要直接修改,拷貝出來修改再複製回去,防止kubelet去拉swap文件導致controller manager異常
創建github app
點你github頭像,settings->developer settins -> new oauth app
Application name: example-app
Homepage URL:https://47.52.197.163:32000
Authorization callback URL: https://47.52.197.163:32000/callback
URL千萬別填錯,注意是dex server的URL而不是dex client的5555
然後你就能看到一個ID一個secrect 後面需要用
部署dex
沒裝go的自己去裝。。。
go get github.com/coreos/dex
cd $GOPATH/src/github.com/coreos/dex
生成證書
gencert.sh需要改一下,把我們IP加進去
[alt_names]
DNS.1 = dex.example.com
IP.1 = 47.52.197.163
IP.2 = 172.31.244.238
$ cd examples/k8s
$ ./gencert.sh
$ cp examples/k8s/ssl /etc/kubernetes # 可曾記得我們掛載的目錄
創建secrect,這個會給dex server用
$ kubectl create secret tls dex.example.com.tls --cert=ssl/cert.pem --key=ssl/key.pem
再創建一個secrect給dex server Github OAuth2 客戶端用,dex server是github的一個客戶端要理解
$ kubectl create secret \
generic github-client \
--from-literal=client-id=$GITHUB_CLIENT_ID \ # 這倆東西替換成在github頁面上創建的APP clientid和secrect
--from-literal=client-secret=$GITHUB_CLIENT_SECRET
啓動dex.yaml,注意代碼裏直接clone下來的沒有配置存儲,而且鏡像比較老,建議用我的:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: dex
name: dex
spec:
replicas: 1
template:
metadata:
labels:
app: dex
spec:
containers:
- image: quay.io/coreos/dex:v2.10.0
name: dex
command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"]
ports:
- name: https
containerPort: 5556
volumeMounts:
- name: config
mountPath: /etc/dex/cfg
- name: data
mountPath: /etc/example
- name: tls
mountPath: /etc/dex/tls
env:
- name: GITHUB_CLIENT_ID
valueFrom:
secretKeyRef:
name: github-client
key: client-id
- name: GITHUB_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: github-client
key: client-secret
volumes:
- name: data
hostPath:
path: /data/example
- name: config
configMap:
name: dex
items:
- key: config.yaml
path: config.yaml
- name: tls
secret:
secretName: dex.example.com.tls
---
kind: ConfigMap
apiVersion: v1
metadata:
name: dex
data:
config.yaml: |
issuer: https://47.52.197.163:32000
storage:
type: sqlite3
config:
file: /etc/example/dex.db
web:
https: 0.0.0.0:5556
tlsCert: /etc/dex/tls/tls.crt
tlsKey: /etc/dex/tls/tls.key
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://47.52.197.163:32000/callback
org: kubernetes
oauth2:
skipApprovalScreen: true
staticClients:
- id: example-app
redirectURIs:
- 'http://47.52.197.163:5555/callback'
name: 'Example App'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
enablePasswordDB: true
staticPasswords:
- email: "[email protected]"
# bcrypt hash of the string "password"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
username: "admin"
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
---
apiVersion: v1
kind: Service
metadata:
name: dex
spec:
type: NodePort
ports:
- name: dex
port: 5556
protocol: TCP
targetPort: 5556
nodePort: 32000
selector:
app: dex
主要修改了:
- 鏡像
- 一些地址,改成自己的IP
- 存儲,我改成了sqlite, 需要掛載一個文件進去,在宿主機上創建一個文件
$ touch /data/example/dex.db
$ kubectl create -f dex.yaml
啓動dex client
編譯客戶端dex目錄下:
make
啓動客戶端:
$ ./bin/example-app --issuer https://47.52.197.163:32000 --issuer-root-ca examples/k8s/ssl/ca.pem --redirect-uri http://47.52.197.163:5555/callback
瀏覽器訪問獲取token
瀏覽器訪問 http://47.52.197.163:5555 ,點擊login後能看到 Log in to dex 下面可以選 log in with Email 和 log in with github
點擊log in with github 授權後得到:
Token:
eyJhbGciOiJSUzI1NiIsImtpZCI6ImMyZWIzYzkwMmM0NDliMTYwMGNjNzNhMWYyNWVjMjI0MDY4NmE0OGMifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTI0MDIwNzA3LCJpYXQiOjE1MjM5MzQzMDcsImF0X2hhc2giOiI5czJob0lzUHRlMW9nc3VKemRab1pnIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.uJAL08BZioSWPaEFh8R50JQVRw6QXgC1n3sn5ovzaoauy51YFjdSh08UZT8KQon8R5JdZ4U06BczwmOG_tT0mWVd_mDqLnRm6lGpm9znYiC1OLNGZOdzuQVsuxe4Lk1YOvxTsJQtpYuOcXXKkwmdfWNeh4VyZoALiVZxLfL44lSnU55JutLNnGD5S6Aiu6YF0xwlcX5Eq1j2pYtg4isnPtU4k6gbiEYCMPm0Gs3FPljnLT7a-TB1tjZLc4RDwBZ4OoiYRu5mAmH5SHHq1_TS9wDTXX16KlQTG9tS_I11n--1grYTz5WondBoM14BJebDdcSF7nRWJ-I8CU_UYu6gcA
Claims:
{
"iss": "https://47.52.197.163:32000",
"sub": "Cgc4OTEyNTU3EgZnaXRodWI",
"aud": "example-app",
"exp": 1524020707,
"iat": 1523934307,
"at_hash": "9s2hoIsPte1ogsuJzdZoZg",
"email": "[email protected]",
"email_verified": true,
"name": "steven"
}
Refresh Token:
Chlrem12bDdmdGJ1dWNlYnk0b2llcWd0YzNqEhloNGhwbmlsZnByZ29mdWdsdWZ6bGp4cHhs
那麼 恭喜你成功了, 這個token就是我們要的東西
驗證tocken
curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTYyNjUyLCJpYXQiOjE1MjM4NzYyNTIsImF0X2hhc2giOiJFUXRWWm5ObE50c2hhWERfZ3N2UkNBIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.vu0keGMoRGg6OAYpMZNN9zm4pnKXGyXDkZaRNj6MXDY9XsfnBDT4HnXkY17Lvm1ow0xPbq9cgVL3JBZT73jiddgFNAIXJffHfPejlVRSqXx9iF1uEcNIc5tDA1hUPtBrX8n_rzdz0sZsPMb4ZYMx3AdEylszpVrS_OelbB4I_2eLfO0KzwcEknOgV8cZZghCCITl6ZTOeeWEv5FPvJjRC2rpu_MkSY5tAf30SITwldFUMgF8ei3aPrZdojPLgqUWtxKaDmPpcHVLhYr0sLE_BnDZLjGP4ff8l5yy_EfDc7sQsrJR7StwZXRnK-n2omqaV3z-n5IxaUty85e_97FA1g" -k https://172.31.244.238:6443/api/v1/namespaces/default/pods
你會發現
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods is forbidden: User \"[email protected]\" cannot list pods in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
[email protected]這個用戶沒有權限訪問pods。我們給他創建一個角色綁定:
[root@master2 dex]# cat examples/k8s/role.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-secrets-global
subjects:
- kind: User
name: "[email protected]" # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin # 超級用戶給他
apiGroup: rbac.authorization.k8s.io
$ kubectl create -f examples/k8s/role.yaml
再次curl:
ot@master2 dex]# curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTYyNjUyLCJpYXQiOjE1MjM4NzYyNTIsImF0X2hhc2giOiJFUXRWWm5ObE50c2hhWERfZ3N2UkNBIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.vu0keGMoRGg6OAYpMZNN9zm4pnKXGyXDkZaRNj6MXDY9XsfnBDT4HnXkY17Lvm1ow0xPbq9cgVL3JBZT73jiddgFNAIXJffHfPejlVRSqXx9iF1uEcNIc5tDA1hUPtBrX8n_rzdz0sZsPMb4ZYMx3AdEylszpVrS_OelbB4I_2eLfO0KzwcEknOgV8cZZghCCITl6ZTOeeWEv5FPvJjRC2rpu_MkSY5tAf30SITwldFUMgF8ei3aPrZdojPLgqUWtxKaDmPpcHVLhYr0sLE_BnDZLjGP4ff8l5yy_EfDc7sQsrJR7StwZXRnK-n2omqaV3z-n5IxaUty85e_97FA1g" -k https://172.31.244.238:6443/api/v1/namespaces/default/pods
{
"kind": "PodList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/namespaces/default/pods",
"resourceVersion": "333066"
},
"items": [
{
"metadata": {
"name": "dex-578588c896-rsp9w",
"generateName": "dex-578588c896-",
"namespace": "default",
"selfLink": "/api/v1/namespaces/default/pods/dex-578588c896-rsp9w",
成功
把tocken加入到證書中
最簡單的方式:
[root@master2 dex]# cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNE1ETXlOekV6TURNMU9Gb1hEVEk0TURNeU5ERXpNRE0xT0Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTnl1CldVdWQxNEJjcFgvbU4xQ3dtUnZzRDJyVFF5aGdOQ3FDTGQ5M2VVVzRqbHJCQ0pCUGkzcE9mOXNTVFJELzV3V0YKUUpzOTE5eVZuRmdOOXBHVVRHbjVieHVtNzgrS3lvY20xTnJ3Z1kxUUpnWlZxVUZhQ1I5VDJ1RThBM1lyKzdITAovS3FHMEZ3S05UV0w3Zy85VFAzdmpQMW5XR3NTTElmVHAxMjNaK0lxZHJaQlI0NUZDQzBOQzU4cmxEYUErVFdOCjRVQ2xJalBKRHJuV2M1Z2E4a3NVYXN4UkQ5clR2dm5iOG05V2NEYnhXdEViTlJyS0R6cUp5K00wT1BacDdIY1QKWkhHUnlXTVR3WVhRVGlmWFhxVTY1U2VkdEdjT3ZsOHl0ck1UZndCRkh2Y1NWQW9sNytYUnNicSs4bDRKc0M5OApPN0tOODAxT0dvaUFyWWNFYjRjQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLcFpoN0t5ZzRLM0dyK0NZRzdwbVlXUGR1eFUKMXcrY1BPZ053OE83MHNFWE5lbnFMbEZVdThtYjMxQTZ4RHZKWHZ4OXNiQ0o5YzdDeDFiaVNNYnFrWlBHRGs4UgpZSm5wZlB4WXBUWlBISmFkK1ZCb2tVY0J3QlluTTB1SXFzZGhvbHhPelVBUU9UbVo5M3UzSi9MeUNob3IwSmlJCm1uQ1hlaHlDaTZ1YTVvTldXNmVNWnlaRWxzRnpXcnlGdHkyNGRKVWkvQkd0SjR2ZStlRmtLTE9VTXpnMjBBU3YKZU1ldkdUL1FibWd1YXZhT1RCdjVDYW05RElSNEZSd2YvV2hwdHpMTVdCVFJXb2ROOUhkcE1tRDhxUmU1YnVWNgpiZ245VFgzejBncUhGMzFQZlBjcTJWRFRJWnJZK084MTBwOTQrbTA5YmxrcTQzSDdXQmhGTmdvditzUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://172.31.244.238:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTY3NDQzLCJpYXQiOjE1MjM4ODEwNDMsImF0X2hhc2giOiJMUzNKUVpiWDVuVnBuam5zSU5nNGZnIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.KjKSkqqX1I21rkqF4t39x8YmEFx2yPlQSMFInVeAp4lCRACljMvTY07GSWycEez0SarPtO80dTqcM4buz7WMVPMRuSqg-HuCPB3DjzD4M84OiHZSFB_5xOJIUqP0dWLAuPTalu2T-le4Gp0gPXc863YfLEMzRm8cxbvdASwQrTZ5oKgoRVznDREW3NIgEONUU9A64bBeWi5xH1eyCbvh4l3Q-ZfkYG4A4w46FwAmfL4ClxCBiIkpZWhKv5GcN8bg7-msaNlvlejpvbSuVWpt5CLJzpCXHh1AqCUBkXzp8ObSGGIw1BfkVFnyH26bpho2kAzxbGtdwNx4TdGlu_XYlw
注意把user那的client-certificate-data client-key-data 刪掉,加上token, 我這直接在/etc/kubernetes/admin.conf上修改的,也可以重新生成配置文件:
kubectl config set-credentials fanux \
--client-certificate=/etc/kubernetes/pki/ca.crt \
--client-key=/etc/kubernetes/pki/ca.key \
--token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTYyNjUyLCJpYXQiOjE1MjM4NzYyNTIsImF0X2hhc2giOiJFUXRWWm5ObE50c2hhWERfZ3N2UkNBIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.vu0keGMoRGg6OAYpMZNN9zm4pnKXGyXDkZaRNj6MXDY9XsfnBDT4HnXkY17Lvm1ow0xPbq9cgVL3JBZT73jiddgFNAIXJffHfPejlVRSqXx9iF1uEcNIc5tDA1hUPtBrX8n_rzdz0sZsPMb4ZYMx3AdEylszpVrS_OelbB4I_2eLfO0KzwcEknOgV8cZZghCCITl6ZTOeeWEv5FPvJjRC2rpu_MkSY5tAf30SITwldFUMgF8ei3aPrZdojPLgqUWtxKaDmPpcHVLhYr0sLE_BnDZLjGP4ff8l5yy_EfDc7sQsrJR7StwZXRnK-n2omqaV3z-n5IxaUty85e_97FA1g \
--embed-certs=true \
--kubeconfig=fanux.config
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=fanux \
--namespace=default \
--kubeconfig=fanux.config
kubectl config use-context kubernetes --kubeconfig=fanux.config
kubectl config set-cluster kubernetes --server=https://172.31.244.238:6443 --certificate-authority=/etc/kubernetes/pki/ca.key --kubeconfig=fanux.config
驗證:
$ kubectl get pod #正常
刪除角色綁定再執行get pod
[root@master2 dex]# kubectl delete -f examples/k8s/role.yaml
clusterrolebinding.rbac.authorization.k8s.io "read-secrets-global" deleted
[root@master2 dex]# kubectl get pod
Error from server (Forbidden): pods is forbidden: User "[email protected]" cannot list pods in the namespace "default"
已經無權限了。
至於給用戶分配更細的權限,比較簡單,讀者門自己倒持去吧
掃碼關注sealyun
探討可加QQ羣:98488045