• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    公众号

ObjectifLibre/k8s-ldap: Kubernetes - LDAP authentication with Dex

原作者: [db:作者] 来自: 网络 收藏 邀请

开源软件名称(OpenSource Name):

ObjectifLibre/k8s-ldap

开源软件地址(OpenSource Url):

https://github.com/ObjectifLibre/k8s-ldap

开源编程语言(OpenSource Language):


开源软件介绍(OpenSource Introduction):

Kubernetes - LDAP authentication with Dex

Docs

This deployment follows Dex by CoreOS & Kubernetes Documentations:

Requirements

  • DNS entries:

    • dex.k8s.example.com --> Dex OIDC provider
    • login.k8s.example.com --> Custom Login Application
  • Kubernetes cluster available with the following requirements:

    • RBAC enabled
    • OIDC authentication enabled. API server configuration:
      • --oidc-issuer-url=https://dex.k8s.example.com/dex: External Dex endpoint
      • --oidc-client-id=loginapp: ID for our Login Application
      • --oidc-ca-file=/etc/kubernetes/ssl/letsencrypt.pem: Letsencrypt CA file because we will use automatic certificate requests.
      • --oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.
      • oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.
    • Ingress Controller available.
    • Automatic certificate requests for Kubernetes (ex: https://github.com/jetstack/cert-manager)
  • An available LDAP server

Helm chart

Helm chart is available here.

Login application

  • Create the auth namespace:
kubectl create ns auth
  • Create resources:
# CA (letsencrypt) configmap
kubectl create -f ca-cm.yml
# Login App configuration
kubectl create -f loginapp-cm.yml
# Login App Ingress and SVC
kubectl create -f loginapp-ing-svc.yml
# Login App Deployment
kubectl create -f loginapp-deploy.yml

It should fail because Dex is not deployed.

Dex

CRD

We will use Kubernetes Custom Resource Definitions (https://kubernetes.io/docs/concepts/api-extension/custom-resources/) as Dex storage backend.

kubectl create -f dex-crd.yml

Deployment

  • Create Dex resources:
# Dex configuration
kubectl create -f dex-cm.yml
# Dex ingress and service
kubectl create -f dex-ing-svc.yml
# Dex deployment
kubectl create -f dex-deploy.yml

Now it should work: try https://login.k8s.example.org, login and retrieve k8s configuration.

kubectl --token=token get pods -n auth
Error from server (Forbidden): pods is forbidden: User "<oidc-issuer-url>#<name>" cannot list pods in the namespace "auth"

User prefix can be updated with the --oidc-username-prefix apiserver option.

  • Create ClusterRoleBinding resource:
kubectl create -f crb-all-auth.yml

Try again:

kubectl --token=$token get po
NAME                        READY     STATUS    RESTARTS   AGE
dex-6f6568d499-m89z6        1/1       Running   0          7m
loginapp-6474748f4b-gb5kb   1/1       Running   0          8m
loginapp-6474748f4b-prq25   1/1       Running   0          8m
loginapp-6474748f4b-vnvnb   1/1       Running   0          8m



鲜花

握手

雷人

路过

鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
热门推荐
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap