本文将详细介绍如何利用Keycloak配置Kubernetes登录验证,以及RBAC管理。
本文全部为测试环境工具。
流程示意
配置Keycloak
安装配置
生产环境不建议使用docker直接部署Keycloak。如果使用nginx需要将PROXY_ADDRESS_FORWARDING配置成true.
sudo docker run -e KEYCLOAK_USER=wanglei -e KEYCLOAK_PASSWORD=your_password -e PROXY_ADDRESS_FORWARDING=true -p 8081:8080 -d jboss/keycloak
配置nginx
将server_name配置成你的域名,代理Keycloak端口,注意上面PROXY_ADDRESS_FORWARDING=true
server {
listen 80;
server_name key.wanglei.me;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://localhost:8081;
}
}
在Clients中创建kubernetes
设置Client ID为kubernetes,Client Protocol选择openid-connect即OIDC协议。
设置Client
将Access Type设置为confidential, Valid Redirect URIs根据需要设置,本文后面用到kubelogin,需要设置为http://localhost:8000
记录Client Secret
在Credentials中找到Secret,后面需要用到。
新建Mapper
选择Mapper Type为User Attribute,选择Claim JSON Type为String,下面开关一律选on(可根据需求更改)。此处Token Claim Name字段设置为groups,后面配置kube-apiserver会用到。
为User添加Attribute
添加key groups, value admin,然后点击add,再save。
配置kubernetes
此处使用kind(kubernetes in docker) https://github.com/kubernetes-sigs/kind#installation-and-usage 为例。
安装kind(mac 为例)
brew install kind
配置kube-apiserver
config.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
metadata:
name: config
apiServer:
extraArgs:
oidc-issuer-url: "https://key.wanglei.me/auth/realms/master"
oidc-client-id: "kubernetes"
oidc-username-claim: "preferred_username"
oidc-username-prefix: "-"
oidc-groups-claim: "groups"
创建本地kubernetes集群。
kind create cluster --config=./config.yaml
查看apiserver log
kubectl logs -n kube-system --tail=10 -f kube-apiserver-kind-control-plane
配置RBAC
RBAC介绍https://kubernetes.io/docs/reference/access-authn-authz/rbac/
创建一个ClusterRoleBinding, 文中使用系统自带的cluster-admin为例,也可以创建符合要求的role。
创建cluster-role-binding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: keycloak-admin-group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: Group
name: admin
apiGroup: rbac.authorization.k8s.io
kubectl apply
kubectl apply -f cluster-role-binding.yaml
配置kubeconfig
安装kubelogin,https://github.com/int128/kubelogin
brew install int128/kubelogin/kubelogin
kubelogin示意图
编辑 ~/.kube/config,里面为kind生成的配置,添加一个名为oidc的user,并配置到kind-kind的context
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: https://localhost:6443
name: docker-for-desktop-cluster
- cluster:
certificate-authority-data: ...
server: https://127.0.0.1:32773
name: kind-kind
contexts:
- context:
cluster: docker-for-desktop-cluster
user: docker-for-desktop
name: docker-for-desktop
- context:
cluster: kind-kind
user: oidc
name: kind-kind
current-context: kind-kind
kind: Config
preferences: {}
users:
- name: docker-for-desktop
user:
client-certificate-data: ...
client-key-data: ...
- name: kind-kind
user:
client-certificate-data: ...
client-key-data: ...
- name: oidc
user:
auth-provider:
config:
client-id: kubernetes
client-secret: your-secret
idp-issuer-url: https://key.wanglei.me/auth/realms/master
name: oidc
运行kubelogin,出现如下提示即登录成功。
试一下
此时再看~/.kube/config,可以看到多了两行id-token和refresh-token
- name: oidc
user:
auth-provider:
config:
client-id: kubernetes
client-secret: 50cc10ed-1859-4042-9305-c913470ac6e2
id-token: ...
idp-issuer-url: https://key.wanglei.me/auth/realms/master
refresh-token: ...
name: oidc
其中id-token可以解析为如下json
同理,如需要多种权限验证皆可以通过RBAC和Keycloak很好的实现。
参考:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
https://octopus.com/blog/kubernetes-oauth
https://kind.sigs.k8s.io/docs/user/quick-start/#enable-feature-gates-in-your-cluster
https://github.com/int128/kubelogin/blob/master/docs/setup.md#keycloak
https://blog.hdls.me/15647317755993.html
