kubernetes實戰(十一):k8s使用openLDAP統一認證
1、基本概念
為了方便管理和整合jenkins,k8s、harbor、jenkins均使用openLDAP/">LDAP統一認證。
2、部署openLDAP
根據之前的文件,openLDAP使用GFS進行資料持久化。
下載對應的openLDAP檔案
git clone https://github.com/dotbalo/k8s.git cd k8s/openldap
建立openLDAP
[root@k8s-master01 openldap]# kubectl apply -f . deployment.extensions/ldap created persistentvolumeclaim/openldap-data created secret/ldap-secret created service/ldap-service created deployment.extensions/phpldapadmin created service/phpldapadmin created
此處參考的是:https://github.com/osixia/docker-openldap,更新DN可以更改environment下的yaml檔案,預設的example.org
建立ldap-ui-ingress
[root@k8s-master01 traefik]# kubectl create -f traefik-ldap.yaml ingress.extensions/ldap-ui created [root@k8s-master01 traefik]# cat traefik-ldap.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ldap-ui namespace: public-service annotations: kubernetes.io/ingress.class: traefik spec: rules: - host: ldap.xxx.net http: paths: - backend: serviceName: phpldapadmin servicePort: 8080
3、檢視驗證
[root@k8s-master01 openldap]# kubectl get po,svc,pvc -n public-service | grep ldap pod/ldap-944645448-pqj8b1/1Running04m pod/phpldapadmin-6c99c76cb6-knmpf1/1Running04m service/glusterfs-dynamic-openldap-dataClusterIP10.111.198.83<none>1/TCP3m service/ldap-serviceClusterIP10.98.153.44<none>389/TCP,636/TCP4m service/phpldapadminClusterIP10.109.141.207<none>8080/TCP4m persistentvolumeclaim/openldap-dataBoundpvc-f251128b-ec17-11e8-8a89-000c293ad4921GiRWXgluster-heketi4m
訪問phpldapadmin:ldap.xxx.net
預設 DN :cn=admin,dc=example,dc=org,預設 Password:admin(線上系統需自定義修改)
登入成功如下:
5、新增使用者和組
建立Groups和People OU
相同方式建立Groups
建立組和使用者
相同方式建立測試組,devops組
建立使用者
填寫基本資訊,選擇組和Login Shell
注意修改Common Name
為每個使用者新增Email,沒有Email無法登陸gitlab
6、配置k8s使用ldap登入
修改openldap/k8s-ldap的nginx配置,server為k8s dashboard的地址
製作映象
[root@k8s-master01 k8s-ldap]# docker build -t dotbalo/k8s-nginx-ldap . Sending build context to Docker daemon 22.02 kB Step 1/10 : FROM python:2-alpine ---> f901fc789b69 Step 2/10 : COPY nginx-ldap-auth-daemon.py /usr/src/app/ ---> Using cache ---> 2c09e174dc92 Step 3/10 : WORKDIR /usr/src/app/ ---> Using cache ---> 80b2344aff04 Step 4/10 : RUN apk --no-cache add openldap-dev &&apk --no-cache add --virtual build-dependencies build-base &&pip install python-ldap &&apk del build-dependencies ---> Using cache ---> 562bd91f40e4 Step 5/10 : ENV NGINX_VERSION 1.14.1 ---> Using cache ---> ebeed109cb40 Step 6/10 : RUN set -x&& mkdir -p/tmp/src/nginx/usr/lib/nginx/modules/var/cache/nginx&& apk add --no-cache --virtual .build-depscurlgccgd-devgeoip-devgnupglibc-devlibxslt-devlinux-headersmakeopenldap-devpcre-devtarunzipzlib-dev&& curl -fsSL http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz | tar vxz --strip=1 -C /tmp/src/nginx&& curl -fsSL https://github.com/kvspb/nginx-auth-ldap/archive/master.zip -o /tmp/nginx-auth-ldap-master.zip&& unzip -d /tmp/src /tmp/nginx-auth-ldap-master.zip&& cd /tmp/src/nginx&& addgroup -S nginx&& adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx&& ./configure--prefix=/usr/share/nginx--sbin-path=/usr/sbin/nginx--modules-path=/usr/lib/nginx/modules--conf-path=/etc/nginx/nginx.conf--error-log-path=/var/log/nginx/error.log--http-log-path=/var/log/nginx/access.log--pid-path=/var/run/nginx.pid--lock-path=/var/run/nginx.lock--http-client-body-temp-path=/var/cache/nginx/client_temp--http-proxy-temp-path=/var/cache/nginx/proxy_temp--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp--http-scgi-temp-path=/var/cache/nginx/scgi_temp--user=nginx--group=nginx--with-http_ssl_module--with-http_realip_module--with-http_addition_module--with-http_sub_module--with-http_dav_module--with-http_flv_module--with-http_mp4_module--with-http_gunzip_module--with-http_gzip_static_module--with-http_random_index_module--with-http_secure_link_module--with-http_stub_status_module--with-http_auth_request_module--with-http_xslt_module=dynamic--with-http_image_filter_module=dynamic--with-http_geoip_module=dynamic--with-threads--with-stream--with-stream_ssl_module--with-stream_ssl_preread_module--with-stream_realip_module--with-stream_geoip_module=dynamic--with-http_slice_module--with-mail--with-mail_ssl_module--with-compat--with-file-aio--with-http_v2_module--add-module=/tmp/src/nginx-auth-ldap-master&& make -j$(getconf _NPROCESSORS_ONLN)&& make install&& mkdir -vp/etc/nginx/conf.d//usr/share/nginx/html/&& install -m644 html/index.html /usr/share/nginx/html/&& install -m644 html/50x.html /usr/share/nginx/html/&& ln -sf /dev/stdout /var/log/nginx/access.log&& ln -sf /dev/stderr /var/log/nginx/error.log&& apk add --no-cache --virtual .gettext gettext&& mv /usr/bin/envsubst /tmp/&& runDeps="$(scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }'| sort -u| xargs -r apk info --installed| sort -u)"&& apk add --no-cache --virtual .nginx-rundeps $runDeps&& apk del .build-deps&& apk del .gettext&& rm -fr/etc/nginx/*.default/tmp/*/var/tmp/*/var/cache/apk/* ---> Using cache ---> 3283f6c81d18 Step 7/10 : COPY start.sh /bin/ ---> Using cache ---> c2204e898bb8 Step 8/10 : COPY nginx.conf /etc/nginx/ ---> d99a904b384d Removing intermediate container 5f086340c1e5 Step 9/10 : EXPOSE 8888 ---> Running in 1b52b272eeda ---> 72825fcd8ea5 Removing intermediate container 1b52b272eeda Step 10/10 : EXPOSE 8081 ---> Running in fdce8ba84145 ---> f4f3866e01b1 Removing intermediate container fdce8ba84145 Successfully built f4f3866e01b1
修改k8s-ldap的ldap-deployment.yaml映象名稱
[root@k8s-master01 k8s-ldap]# kubectl create -f ldap-deployment.yaml [root@k8s-master01 k8s-ldap]# kubectl get po,svc -n public-service | grep k8s-nginx pod/k8s-nginx-ldap-5c5bf9595d-8pqw21/1Running04m service/k8s-nginx-ldapNodePort10.100.70.192<none>8081:31486/TCP14m [root@k8s-master01 k8s-ldap]#
訪問:IP:NODEPORT
輸入剛才建立的賬號密碼,注意此時是沒有許可權的
官網的解釋如下
貌似所有的請求頭都被清空,都變成了system:serviceaccount:kube-system:kubernetes-dashboard這個使用者
7、授權訪問
在k8s安裝後,會自動建立一個有全域性讀許可權的clusterrole:view,將此許可權授權給system:serviceaccount:kube-system:kubernetes-dashboard使用者
[root@k8s-master01 k8s-ldap]# kubectl create -f k8s-ldap-user-crb.yaml clusterrolebinding.rbac.authorization.k8s.io/k8s-ldap-user created
建立完成後重新整理dashboard,可以看到有了只讀許可權(secret和role沒有許可權)
8、總結
1) 與容器雲相比,容器雲的許可權控制更為完善,可是實現基於使用者的驗證,可以區分不同的使用者不同的許可權,而k8s被統一成了kubernetes-dashboard這個使用者,也有可能是自己沒有配置成功,後期需要再次確認。
2) 可以限制openLDAP中的使用者只訪問某些namespace,需要自行定義許可權。
3) 公司沒有需要無需讓非ops員工訪問k8s。
參考:
https://github.com/osixia/
https://icicimov.github.io/blog/virtualization/Kubernetes-LDAP-Authentication/
https://github.com/nginxinc/nginx-ldap-auth.git