爲OKD/Openshift集羣配置OpenLDAP認證

時間 2019-11-15

標籤 okd openshift 集羣配置 openldap 認證欄目負載均衡简体版

原文原文鏈接

前言

如同Linux操做系統安裝完成後，管理員需爲應用建立不一樣的用戶，那麼，K8S/OKD/Openshift集羣一樣也需如此，而在OKD/Openshift集羣裏，咱們可集成OpenLDAP目錄系統，方法以下所示。git

OpenLDAP安裝

本文使用helm安裝openldap，首先將chars下載下來以方便查看：github

git clone https://github.com/helm/charts

可選。鏡像可先推送到私有倉庫（PS：測試發現latest鏡像有問題）：docker

docker pull osixia/openldap:1.2.1
docker tag docker.io/osixia/openldap:1.2.1 okd-lr.zyl.io:5001/osixia/openldap:1.2.1
docker push okd-lr.zyl.io:5001/osixia/openldap:1.2.1

鏡像以root用戶運行（gosudo切換），賦權：shell

oc new-project auth-openshift
oc adm policy add-scc-to-user anyuid -z default

對openldap char參數作定製：api

cd charts/stable/openldap
cp values.yaml values_cs.yaml
vi values_cs.yaml
...

env:
  # LDAP將建立dc=zyl,dc=io域，組織名稱爲Zyl Inc.
  LDAP_ORGANISATION: "Zyl Inc."
  LDAP_DOMAIN: "zyl.io"
...

# Ldap域管理員(cn=admin,dc=zyl,dc=io）及config管理員（cn=admin,cn=config）密碼
adminPassword: admin
configPassword: config

# 持久化存儲，本例使用已建立好的glusterfs存儲系統，其支持動態提供。
persistence:
  enabled: true
  storageClass: "glusterfs-app"
  accessMode: ReadWriteOnce
  size: 8Gi

執行helm命令安裝：bash

helm install --name openldap -f values_cs.yaml .

Ldap啓動後，建立了域dc=zyl,dc=io及hdb管理員帳戶cn=admin,dc=zyl,dc=io。以下所示，在此域下建立用戶與組信息：app

% oc rsh deploy/openldap
% cat > users.ldif <<EOF
dn: ou=People,dc=zyl,dc=io
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=zyl,dc=io
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: uid=zyl,ou=People,dc=zyl,dc=io
uid: zyl
cn: zyl
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: changeme
loginShell: /bin/bash
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/zyl

dn: uid=admin,ou=People,dc=zyl,dc=io
uid: admin
cn: admin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: changeme
loginShell: /bin/bash
uidNumber: 5001
gidNumber: 5001
homeDirectory: /home/admin

dn: cn=zyl,ou=Group,dc=zyl,dc=io
cn: zyl
objectClass: top
objectClass: posixGroup
gidNumber: 5000
memberUid: zyl

dn: cn=admin,ou=Group,dc=zyl,dc=io
cn: admin
objectClass: top
objectClass: posixGroup
gidNumber: 5001
memberUid: admin

dn: cn=openshift_user,ou=Group,dc=zyl,dc=io
cn: openshift_user
objectClass: top
objectClass: posixGroup
gidNumber: 6000
memberUid: zyl

dn: cn=openshift_admin,ou=Group,dc=zyl,dc=io
cn: openshift_admin
objectClass: top
objectClass: posixGroup
gidNumber: 6001
memberUid: admin
EOF
% ldapadd -x -w $LDAP_ADMIN_PASSWORD -D "cn=admin,dc=zyl,dc=io" -H ldapi:/// -f users.ldif
% ldapsearch -x -D "cn=admin,dc=zyl,dc=io" -w $LDAP_ADMIN_PASSWORD \
             -b dc=zyl,dc=io
# 可以使用config管理員檢查ldap config配置
% ldapsearch -x -D "cn=admin,cn=config" -w $LDAP_CONFIG_PASSWORD \
             -b cn=config "olcDatabase=config"

配置Master使用Ldap認證

OKD初始安裝時若未配置openshift_master_identity_providers，則OKD默認使用以下認證，此認證方式容許任何用戶登陸集羣。ide

% vi /etc/origin/master/master-config.yaml 
...
oauthConfig:
...
  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: allow_all
    provider:
      apiVersion: v1
      kind: AllowAllPasswordIdentityProvider
...

將全部Master配置的以下段刪除：測試

- challenge: true
    login: true
    mappingMethod: claim
    name: allow_all
    provider:
      apiVersion: v1
      kind: AllowAllPasswordIdentityProvider

替換爲以下段：ui

- challenge: true
    login: true
    mappingMethod: claim
    name: ldap_auth
    provider:
      apiVersion: v1
      attributes:
        email:
        - mail
        id:
        - dn
        name:
        - cn
        preferredUsername:
        - uid
      bindDN: cn=admin,dc=zyl,dc=io
      bindPassword: admin
      insecure: true
      kind: LDAPPasswordIdentityProvider
      url: ldap://openldap.auth-openshift.svc.cluster.local./ou=People,dc=zyl,dc=io?uid

注意：若啓用TLS，即insecure: false，則需提供OpenLDAP的證書，如添加ca: my-ldap-ca.crt，然後將證書拷貝到Master上：/etc/origin/master/my-ldap-ca.crt。

Ansible配置文件中的OSEv3.yaml加入如下段，避免升級時被還原回去。

##### Auth
openshift_master_identity_providers:
- name: ldap_auth
  challenge: true
  login: true
  kind: LDAPPasswordIdentityProvider
  bindDN: cn=admin,dc=zyl,dc=io
  bindPassword: admin
  url: ldap://openldap.auth-openshift.svc.cluster.local./ou=People,dc=zyl,dc=io?uid
  attributes:
    id: ['dn']
    email: ['mail']
    name: ['cn']
    preferredUsername: ['uid']
  insecure: true

然後分別重啓Master節點：

master-restart api
master-restart controllers
oc get pod -n kube-system  
master-logs api api                   # 查看日誌
master-logs controllers controllers

同步LDAP組信息到OKD上

建立以下文件：

cat > rfc2307_config_user_defined.yaml <<EOF
---
kind: LDAPSyncConfig
apiVersion: v1
bindDN: cn=admin,dc=zyl,dc=io
bindPassword: admin
insecure: true
url: ldap://openldap.auth-openshift.svc.cluster.local
groupUIDNameMapping:
  "cn=openshift_admin,ou=Group,dc=zyl,dc=cn": openshift_admin
  "cn=openshift_user,ou=Group,dc=zyl,dc=cn": openshift_user
rfc2307:
    groupsQuery:
        baseDN: "ou=Group,dc=zyl,dc=io"
        scope: sub
        derefAliases: never
        filter: (objectClass=posixGroup)
    groupUIDAttribute: dn
    groupNameAttributes: [ cn ]
    groupMembershipAttributes: [ memberUid ] 
    usersQuery:
        baseDN: "ou=People,dc=zyl,dc=io"
        scope: sub
        derefAliases: never
        filter: (objectClass=posixAccount)
    userUIDAttribute: uid
    userNameAttributes: [ cn ]
EOF

執行以下命令同步：

% oc adm groups sync --sync-config=rfc2307_config_user_defined.yaml --confirm
group/zyl
group/admin
group/openshift_user
group/openshift_admin

openshift_admin做爲管理員組、openshift_user爲普通用戶組，賦權：

oc adm policy add-cluster-role-to-group cluster-admin openshift_admin
oc adm policy add-cluster-role-to-group basic-user openshift_user

登陸用戶：

oc login -uadmin -pchangeme

用戶登陸後，OKD會生成本身的用戶與LDAP對應：

% oc get groups
NAME              USERS
admin             admin
openshift_admin   admin
openshift_user    zyl
zyl               zyl                

% oc get users
NAME      UID                                    FULL NAME   IDENTITIES
admin     3c4ae0bf-338c-11e9-b2f8-52540042814f   admin       ldap_auth:uid=admin,ou=People,dc=zyl,dc=io

% oc get identities
NAME                                         IDP NAME    IDP USER NAME                      USER NAME   USER UID
ldap_auth:uid=admin,ou=People,dc=zyl,dc=io   ldap_auth   uid=admin,ou=People,dc=zyl,dc=io   admin       3c4ae0bf-338c-11e9-b2f8-52540042814f