kubernetes對接第三方認證

廣告： 安裝包地址

原文地址

概述

本文介紹如何使用github賬戶去關聯自己kubernetes賬戶。達到如下效果：

使用github用戶email作為kubernetes用戶，如fhtjob@hotmail.com

創建對應的clusterrole綁定給fhtjob@hotmail.com這個用戶

給fhtjob@hotmail這個用戶創建一個kubeconfig文件，讓改用戶可以使用kubectl命令操作集群，且只有部分權限

dex介紹

dex 是一個統一認證的服務，支持各種認證協議如Ouath2 ldap等，自己可以作為一個identity provider,也可以連到別的id provider(如github)上,dex作為一個中間代理.

流程

http://47.52.197.163:5555 http://47.52.197.163:32000人(瀏覽器） dex client dex server github kubectl kubernetes server| login(scope) | | | | ||------1-------->| | | | || |----------2------------->| | | || | |----------3----------->| | || | | id_token | | || | |<---------4------------| callback | || id_token |<----------5-------------|callback | | ||<-------6-------| | | | || | | | id_token | ||------------------------------------------------7-------------------------------------------->| id_token || | | | |----------8------------>|| | | | | | valid? | | | | | | expired?| | | | | | user Authorized?| | | | |<---------9-------------|X<----------------------------------------------10---------------------------------------------| || | | | | || | | | | || | | | | |

• scope: 你需要哪些信息，如郵箱,openid,用戶名等
• id_token: 加密后的你需要的信息
• dex client: dex的客戶端，比如可以是我們自己寫的管理的服務端，會去調用第三方登錄的流程，或者我們寫的一個網站后臺處理登錄的邏輯
• dex server: dex的服務端，一邊作為client的服務端，另一邊其實是github的客戶端

用戶在瀏覽器發起登錄請求

dexclient把請求重定向給dexserver

dexserver重定向給github，這時用戶就會跳轉到github的頁面去授權允許訪問哪些信息

github把對應信息加密調用dexserver的回調url(http://47.52.197.163:32000/callback)把信息傳給dex server, 注意區分dex client的回調

dexserver把信息回調給dex client(http://47.52.197.163:5555/callback)

瀏覽器中拿到token

把token加到kubeconfig文件中，讓kubectl可以使用

kubectl把token傳給kubernetes server, server有 dex server的公鑰可以解析token，拿到username, 看是否過期，看授權是否允許執行該動作

把執行結果返回給kubectl

環境介紹與注意事項

• 采用云服務器進行該實驗，Floatingip是47.52.197.163
• 你需要有一個github賬戶，我的是github.com/fanux 把email(fhtjob@hotmail.com)作為kubernetes賬戶
• 服務器上要裝golang
• 官方教程有很多坑，建議看我的教程
• 需要有個k8s集群，那么我最推薦的安裝方式當然是購買我的安裝包哈哈

安裝

修改kube apiserver配置

[root@master2 ~]# cat /etc/kubernetes/manifests/kube-apiserver.yaml apiVersion: v1 kind: Pod metadata:annotations:scheduler.alpha.kubernetes.io/critical-pod: ""creationTimestamp: nulllabels:component: kube-apiservertier: control-planename: kube-apiservernamespace: kube-system spec:containers:- command:- kube-apiserver- --oidc-issuer-url=https://47.52.197.163:32000 # 加上這五個參數- --oidc-client-id=example-app- --oidc-ca-file=/etc/kubernetes/ssl/ca.pem # dex證書，掛載進來的- --oidc-username-claim=email- --oidc-groups-claim=groups...- mountPath: /etc/kubernetes/ssl # 把dex的證書掛進去給apiserver使用name: dexreadOnly: truevolumes:- hostPath:path: /etc/kubernetes/ssltype: DirectoryOrCreatename: dex

用kubeadm安裝的修改/etc/kubernetes/manifests/kube-apiserver.yaml這個文件即可，建議不要直接修改，拷貝出來修改再復制回去，防止kubelet去拉swap文件導致controller manager異常

創建github app

點你github頭像，settings->developer settins -> new oauth app

Application name: example-app
Homepage URL：https://47.52.197.163:32000
Authorization callback URL: https://47.52.197.163:32000/callback

URL千萬別填錯，注意是dex server的URL而不是dex client的5555

然后你就能看到一個ID一個secrect 后面需要用

部署dex

沒裝go的自己去裝。。。

go get github.com/coreos/dex cd $GOPATH/src/github.com/coreos/dex

生成證書
gencert.sh需要改一下，把我們IP加進去

[alt_names] DNS.1 = dex.example.com IP.1 = 47.52.197.163 IP.2 = 172.31.244.238 $ cd examples/k8s $ ./gencert.sh $ cp examples/k8s/ssl /etc/kubernetes # 可曾記得我們掛載的目錄

創建secrect,這個會給dex server用

$ kubectl create secret tls dex.example.com.tls --cert=ssl/cert.pem --key=ssl/key.pem

再創建一個secrect給dex server Github OAuth2 客戶端用，dex server是github的一個客戶端要理解

$ kubectl create secret \generic github-client \--from-literal=client-id=$GITHUB_CLIENT_ID \ # 這倆東西替換成在github頁面上創建的APP clientid和secrect--from-literal=client-secret=$GITHUB_CLIENT_SECRET

啟動dex.yaml，注意代碼里直接clone下來的沒有配置存儲，而且鏡像比較老，建議用我的：

apiVersion: extensions/v1beta1 kind: Deployment metadata:labels:app: dexname: dex spec:replicas: 1template:metadata:labels:app: dexspec:containers:- image: quay.io/coreos/dex:v2.10.0name: dexcommand: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"]ports:- name: httpscontainerPort: 5556volumeMounts:- name: configmountPath: /etc/dex/cfg- name: datamountPath: /etc/example- name: tlsmountPath: /etc/dex/tlsenv:- name: GITHUB_CLIENT_IDvalueFrom:secretKeyRef:name: github-clientkey: client-id- name: GITHUB_CLIENT_SECRETvalueFrom:secretKeyRef:name: github-clientkey: client-secretvolumes:- name: datahostPath:path: /data/example- name: configconfigMap:name: dexitems:- key: config.yamlpath: config.yaml- name: tlssecret:secretName: dex.example.com.tls --- kind: ConfigMap apiVersion: v1 metadata:name: dex data:config.yaml: |issuer: https://47.52.197.163:32000storage:type: sqlite3config:file: /etc/example/dex.dbweb:https: 0.0.0.0:5556tlsCert: /etc/dex/tls/tls.crttlsKey: /etc/dex/tls/tls.keyconnectors:- type: githubid: githubname: GitHubconfig:clientID: $GITHUB_CLIENT_IDclientSecret: $GITHUB_CLIENT_SECRETredirectURI: https://47.52.197.163:32000/callbackorg: kubernetesoauth2:skipApprovalScreen: truestaticClients:- id: example-appredirectURIs:- 'http://47.52.197.163:5555/callback'name: 'Example App'secret: ZXhhbXBsZS1hcHAtc2VjcmV0enablePasswordDB: truestaticPasswords:- email: "admin@example.com"# bcrypt hash of the string "password"hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"username: "admin"userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" --- apiVersion: v1 kind: Service metadata:name: dex spec:type: NodePortports:- name: dexport: 5556protocol: TCPtargetPort: 5556nodePort: 32000selector:app: dex

主要修改了：

• 鏡像
• 一些地址，改成自己的IP
• 存儲，我改成了sqlite, 需要掛載一個文件進去，在宿主機上創建一個文件

$ touch /data/example/dex.db $ kubectl create -f dex.yaml

啟動dex client

編譯客戶端dex目錄下：

make

啟動客戶端：

$ ./bin/example-app --issuer https://47.52.197.163:32000 --issuer-root-ca examples/k8s/ssl/ca.pem --redirect-uri http://47.52.197.163:5555/callback

瀏覽器訪問獲取token

瀏覽器訪問 http://47.52.197.163:5555 ,點擊login后能看到 Log in to dex 下面可以選 log in with Email 和 log in with github
點擊log in with github 授權后得到：

Token:eyJhbGciOiJSUzI1NiIsImtpZCI6ImMyZWIzYzkwMmM0NDliMTYwMGNjNzNhMWYyNWVjMjI0MDY4NmE0OGMifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTI0MDIwNzA3LCJpYXQiOjE1MjM5MzQzMDcsImF0X2hhc2giOiI5czJob0lzUHRlMW9nc3VKemRab1pnIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.uJAL08BZioSWPaEFh8R50JQVRw6QXgC1n3sn5ovzaoauy51YFjdSh08UZT8KQon8R5JdZ4U06BczwmOG_tT0mWVd_mDqLnRm6lGpm9znYiC1OLNGZOdzuQVsuxe4Lk1YOvxTsJQtpYuOcXXKkwmdfWNeh4VyZoALiVZxLfL44lSnU55JutLNnGD5S6Aiu6YF0xwlcX5Eq1j2pYtg4isnPtU4k6gbiEYCMPm0Gs3FPljnLT7a-TB1tjZLc4RDwBZ4OoiYRu5mAmH5SHHq1_TS9wDTXX16KlQTG9tS_I11n--1grYTz5WondBoM14BJebDdcSF7nRWJ-I8CU_UYu6gcA Claims:{"iss": "https://47.52.197.163:32000","sub": "Cgc4OTEyNTU3EgZnaXRodWI","aud": "example-app","exp": 1524020707,"iat": 1523934307,"at_hash": "9s2hoIsPte1ogsuJzdZoZg","email": "fhtjob@hotmail.com","email_verified": true,"name": "steven" } Refresh Token:Chlrem12bDdmdGJ1dWNlYnk0b2llcWd0YzNqEhloNGhwbmlsZnByZ29mdWdsdWZ6bGp4cHhs

那么 恭喜你成功了, 這個token就是我們要的東西

驗證tocken

curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTYyNjUyLCJpYXQiOjE1MjM4NzYyNTIsImF0X2hhc2giOiJFUXRWWm5ObE50c2hhWERfZ3N2UkNBIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.vu0keGMoRGg6OAYpMZNN9zm4pnKXGyXDkZaRNj6MXDY9XsfnBDT4HnXkY17Lvm1ow0xPbq9cgVL3JBZT73jiddgFNAIXJffHfPejlVRSqXx9iF1uEcNIc5tDA1hUPtBrX8n_rzdz0sZsPMb4ZYMx3AdEylszpVrS_OelbB4I_2eLfO0KzwcEknOgV8cZZghCCITl6ZTOeeWEv5FPvJjRC2rpu_MkSY5tAf30SITwldFUMgF8ei3aPrZdojPLgqUWtxKaDmPpcHVLhYr0sLE_BnDZLjGP4ff8l5yy_EfDc7sQsrJR7StwZXRnK-n2omqaV3z-n5IxaUty85e_97FA1g" -k https://172.31.244.238:6443/api/v1/namespaces/default/pods

你會發現

{"kind": "Status","apiVersion": "v1","metadata": {},"status": "Failure","message": "pods is forbidden: User \"fhtjob@hotmail.com\" cannot list pods in the namespace \"default\"","reason": "Forbidden","details": {"kind": "pods"},"code": 403 }

fhtjob@hotmail.com這個用戶沒有權限訪問pods。我們給他創建一個角色綁定：

[root@master2 dex]# cat examples/k8s/role.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata:name: read-secrets-global subjects: - kind: Username: "fhtjob@hotmail.com" # Name is case sensitiveapiGroup: rbac.authorization.k8s.io roleRef:kind: ClusterRolename: cluster-admin # 超級用戶給他apiGroup: rbac.authorization.k8s.io $ kubectl create -f examples/k8s/role.yaml

再次curl:

ot@master2 dex]# curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTYyNjUyLCJpYXQiOjE1MjM4NzYyNTIsImF0X2hhc2giOiJFUXRWWm5ObE50c2hhWERfZ3N2UkNBIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.vu0keGMoRGg6OAYpMZNN9zm4pnKXGyXDkZaRNj6MXDY9XsfnBDT4HnXkY17Lvm1ow0xPbq9cgVL3JBZT73jiddgFNAIXJffHfPejlVRSqXx9iF1uEcNIc5tDA1hUPtBrX8n_rzdz0sZsPMb4ZYMx3AdEylszpVrS_OelbB4I_2eLfO0KzwcEknOgV8cZZghCCITl6ZTOeeWEv5FPvJjRC2rpu_MkSY5tAf30SITwldFUMgF8ei3aPrZdojPLgqUWtxKaDmPpcHVLhYr0sLE_BnDZLjGP4ff8l5yy_EfDc7sQsrJR7StwZXRnK-n2omqaV3z-n5IxaUty85e_97FA1g" -k https://172.31.244.238:6443/api/v1/namespaces/default/pods {"kind": "PodList","apiVersion": "v1","metadata": {"selfLink": "/api/v1/namespaces/default/pods","resourceVersion": "333066"},"items": [{"metadata": {"name": "dex-578588c896-rsp9w","generateName": "dex-578588c896-","namespace": "default","selfLink": "/api/v1/namespaces/default/pods/dex-578588c896-rsp9w",

成功

把tocken加入到證書中

最簡單的方式：

[root@master2 dex]# cat ~/.kube/config apiVersion: v1 clusters: - cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNE1ETXlOekV6TURNMU9Gb1hEVEk0TURNeU5ERXpNRE0xT0Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTnl1CldVdWQxNEJjcFgvbU4xQ3dtUnZzRDJyVFF5aGdOQ3FDTGQ5M2VVVzRqbHJCQ0pCUGkzcE9mOXNTVFJELzV3V0YKUUpzOTE5eVZuRmdOOXBHVVRHbjVieHVtNzgrS3lvY20xTnJ3Z1kxUUpnWlZxVUZhQ1I5VDJ1RThBM1lyKzdITAovS3FHMEZ3S05UV0w3Zy85VFAzdmpQMW5XR3NTTElmVHAxMjNaK0lxZHJaQlI0NUZDQzBOQzU4cmxEYUErVFdOCjRVQ2xJalBKRHJuV2M1Z2E4a3NVYXN4UkQ5clR2dm5iOG05V2NEYnhXdEViTlJyS0R6cUp5K00wT1BacDdIY1QKWkhHUnlXTVR3WVhRVGlmWFhxVTY1U2VkdEdjT3ZsOHl0ck1UZndCRkh2Y1NWQW9sNytYUnNicSs4bDRKc0M5OApPN0tOODAxT0dvaUFyWWNFYjRjQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLcFpoN0t5ZzRLM0dyK0NZRzdwbVlXUGR1eFUKMXcrY1BPZ053OE83MHNFWE5lbnFMbEZVdThtYjMxQTZ4RHZKWHZ4OXNiQ0o5YzdDeDFiaVNNYnFrWlBHRGs4UgpZSm5wZlB4WXBUWlBISmFkK1ZCb2tVY0J3QlluTTB1SXFzZGhvbHhPelVBUU9UbVo5M3UzSi9MeUNob3IwSmlJCm1uQ1hlaHlDaTZ1YTVvTldXNmVNWnlaRWxzRnpXcnlGdHkyNGRKVWkvQkd0SjR2ZStlRmtLTE9VTXpnMjBBU3YKZU1ldkdUL1FibWd1YXZhT1RCdjVDYW05RElSNEZSd2YvV2hwdHpMTVdCVFJXb2ROOUhkcE1tRDhxUmU1YnVWNgpiZ245VFgzejBncUhGMzFQZlBjcTJWRFRJWnJZK084MTBwOTQrbTA5YmxrcTQzSDdXQmhGTmdvditzUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=server: https://172.31.244.238:6443name: kubernetes contexts: - context:cluster: kubernetesuser: kubernetes-adminname: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-adminuser:token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTY3NDQzLCJpYXQiOjE1MjM4ODEwNDMsImF0X2hhc2giOiJMUzNKUVpiWDVuVnBuam5zSU5nNGZnIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.KjKSkqqX1I21rkqF4t39x8YmEFx2yPlQSMFInVeAp4lCRACljMvTY07GSWycEez0SarPtO80dTqcM4buz7WMVPMRuSqg-HuCPB3DjzD4M84OiHZSFB_5xOJIUqP0dWLAuPTalu2T-le4Gp0gPXc863YfLEMzRm8cxbvdASwQrTZ5oKgoRVznDREW3NIgEONUU9A64bBeWi5xH1eyCbvh4l3Q-ZfkYG4A4w46FwAmfL4ClxCBiIkpZWhKv5GcN8bg7-msaNlvlejpvbSuVWpt5CLJzpCXHh1AqCUBkXzp8ObSGGIw1BfkVFnyH26bpho2kAzxbGtdwNx4TdGlu_XYlw

注意把user那的client-certificate-data client-key-data 刪掉，加上token, 我這直接在/etc/kubernetes/admin.conf上修改的，也可以重新生成配置文件：

kubectl config set-credentials fanux \ --client-certificate=/etc/kubernetes/pki/ca.crt \ --client-key=/etc/kubernetes/pki/ca.key \ --token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjOTU0NjdlM2I0OTE5YWE1OTEzZDNkMDU3NGM2ZTRjYjBjY2NhNzgifQ.eyJpc3MiOiJodHRwczovLzQ3LjUyLjE5Ny4xNjM6MzIwMDAiLCJzdWIiOiJDZ2M0T1RFeU5UVTNFZ1puYVhSb2RXSSIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNTIzOTYyNjUyLCJpYXQiOjE1MjM4NzYyNTIsImF0X2hhc2giOiJFUXRWWm5ObE50c2hhWERfZ3N2UkNBIiwiZW1haWwiOiJmaHRqb2JAaG90bWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InN0ZXZlbiJ9.vu0keGMoRGg6OAYpMZNN9zm4pnKXGyXDkZaRNj6MXDY9XsfnBDT4HnXkY17Lvm1ow0xPbq9cgVL3JBZT73jiddgFNAIXJffHfPejlVRSqXx9iF1uEcNIc5tDA1hUPtBrX8n_rzdz0sZsPMb4ZYMx3AdEylszpVrS_OelbB4I_2eLfO0KzwcEknOgV8cZZghCCITl6ZTOeeWEv5FPvJjRC2rpu_MkSY5tAf30SITwldFUMgF8ei3aPrZdojPLgqUWtxKaDmPpcHVLhYr0sLE_BnDZLjGP4ff8l5yy_EfDc7sQsrJR7StwZXRnK-n2omqaV3z-n5IxaUty85e_97FA1g \ --embed-certs=true \ --kubeconfig=fanux.configkubectl config set-context kubernetes \ --cluster=kubernetes \ --user=fanux \ --namespace=default \ --kubeconfig=fanux.configkubectl config use-context kubernetes --kubeconfig=fanux.configkubectl config set-cluster kubernetes --server=https://172.31.244.238:6443 --certificate-authority=/etc/kubernetes/pki/ca.key --kubeconfig=fanux.config

驗證：

$ kubectl get pod #正常

刪除角色綁定再執行get pod

[root@master2 dex]# kubectl delete -f examples/k8s/role.yaml clusterrolebinding.rbac.authorization.k8s.io "read-secrets-global" deleted [root@master2 dex]# kubectl get pod Error from server (Forbidden): pods is forbidden: User "fhtjob@hotmail.com" cannot list pods in the namespace "default"

已經無權限了。
至于給用戶分配更細的權限，比較簡單，讀者門自己倒持去吧

總結

以上是生活随笔為你收集整理的kubernetes认证，对接第三方认证系统，对接github认证的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。