如同Linux操做系統安裝完成後,管理員需爲應用建立不一樣的用戶,那麼,K8S/OKD/Openshift集羣一樣也需如此,而在OKD/Openshift集羣裏,咱們可集成OpenLDAP目錄系統,方法以下所示。git
本文使用helm安裝openldap,首先將chars下載下來以方便查看:github
git clone https://github.com/helm/charts
可選。鏡像可先推送到私有倉庫(PS:測試發現latest鏡像有問題):docker
docker pull osixia/openldap:1.2.1 docker tag docker.io/osixia/openldap:1.2.1 okd-lr.zyl.io:5001/osixia/openldap:1.2.1 docker push okd-lr.zyl.io:5001/osixia/openldap:1.2.1
鏡像以root用戶運行(gosudo切換),賦權:shell
oc new-project auth-openshift oc adm policy add-scc-to-user anyuid -z default
對openldap char參數作定製:api
cd charts/stable/openldap cp values.yaml values_cs.yaml vi values_cs.yaml ... env: # LDAP將建立dc=zyl,dc=io域,組織名稱爲Zyl Inc. LDAP_ORGANISATION: "Zyl Inc." LDAP_DOMAIN: "zyl.io" ... # Ldap域管理員(cn=admin,dc=zyl,dc=io)及config管理員(cn=admin,cn=config)密碼 adminPassword: admin configPassword: config # 持久化存儲,本例使用已建立好的glusterfs存儲系統,其支持動態提供。 persistence: enabled: true storageClass: "glusterfs-app" accessMode: ReadWriteOnce size: 8Gi
執行helm命令安裝:bash
helm install --name openldap -f values_cs.yaml .
Ldap啓動後,建立了域dc=zyl,dc=io及hdb管理員帳戶cn=admin,dc=zyl,dc=io。以下所示,在此域下建立用戶與組信息:app
% oc rsh deploy/openldap % cat > users.ldif <<EOF dn: ou=People,dc=zyl,dc=io ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=zyl,dc=io ou: Group objectClass: top objectClass: organizationalUnit dn: uid=zyl,ou=People,dc=zyl,dc=io uid: zyl cn: zyl objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: changeme loginShell: /bin/bash uidNumber: 5000 gidNumber: 5000 homeDirectory: /home/zyl dn: uid=admin,ou=People,dc=zyl,dc=io uid: admin cn: admin objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: changeme loginShell: /bin/bash uidNumber: 5001 gidNumber: 5001 homeDirectory: /home/admin dn: cn=zyl,ou=Group,dc=zyl,dc=io cn: zyl objectClass: top objectClass: posixGroup gidNumber: 5000 memberUid: zyl dn: cn=admin,ou=Group,dc=zyl,dc=io cn: admin objectClass: top objectClass: posixGroup gidNumber: 5001 memberUid: admin dn: cn=openshift_user,ou=Group,dc=zyl,dc=io cn: openshift_user objectClass: top objectClass: posixGroup gidNumber: 6000 memberUid: zyl dn: cn=openshift_admin,ou=Group,dc=zyl,dc=io cn: openshift_admin objectClass: top objectClass: posixGroup gidNumber: 6001 memberUid: admin EOF % ldapadd -x -w $LDAP_ADMIN_PASSWORD -D "cn=admin,dc=zyl,dc=io" -H ldapi:/// -f users.ldif % ldapsearch -x -D "cn=admin,dc=zyl,dc=io" -w $LDAP_ADMIN_PASSWORD \ -b dc=zyl,dc=io # 可以使用config管理員檢查ldap config配置 % ldapsearch -x -D "cn=admin,cn=config" -w $LDAP_CONFIG_PASSWORD \ -b cn=config "olcDatabase=config"
OKD初始安裝時若未配置openshift_master_identity_providers,則OKD默認使用以下認證,此認證方式容許任何用戶登陸集羣。ide
% vi /etc/origin/master/master-config.yaml ... oauthConfig: ... identityProviders: - challenge: true login: true mappingMethod: claim name: allow_all provider: apiVersion: v1 kind: AllowAllPasswordIdentityProvider ...
將全部Master配置的以下段刪除:測試
- challenge: true login: true mappingMethod: claim name: allow_all provider: apiVersion: v1 kind: AllowAllPasswordIdentityProvider
替換爲以下段:ui
- challenge: true login: true mappingMethod: claim name: ldap_auth provider: apiVersion: v1 attributes: email: - mail id: - dn name: - cn preferredUsername: - uid bindDN: cn=admin,dc=zyl,dc=io bindPassword: admin insecure: true kind: LDAPPasswordIdentityProvider url: ldap://openldap.auth-openshift.svc.cluster.local./ou=People,dc=zyl,dc=io?uid
注意:若啓用TLS,即insecure: false,則需提供OpenLDAP的證書,如添加ca: my-ldap-ca.crt,然後將證書拷貝到Master上:/etc/origin/master/my-ldap-ca.crt。
Ansible配置文件中的OSEv3.yaml加入如下段,避免升級時被還原回去。
##### Auth openshift_master_identity_providers: - name: ldap_auth challenge: true login: true kind: LDAPPasswordIdentityProvider bindDN: cn=admin,dc=zyl,dc=io bindPassword: admin url: ldap://openldap.auth-openshift.svc.cluster.local./ou=People,dc=zyl,dc=io?uid attributes: id: ['dn'] email: ['mail'] name: ['cn'] preferredUsername: ['uid'] insecure: true
然後分別重啓Master節點:
master-restart api master-restart controllers oc get pod -n kube-system master-logs api api # 查看日誌 master-logs controllers controllers
建立以下文件:
cat > rfc2307_config_user_defined.yaml <<EOF --- kind: LDAPSyncConfig apiVersion: v1 bindDN: cn=admin,dc=zyl,dc=io bindPassword: admin insecure: true url: ldap://openldap.auth-openshift.svc.cluster.local groupUIDNameMapping: "cn=openshift_admin,ou=Group,dc=zyl,dc=cn": openshift_admin "cn=openshift_user,ou=Group,dc=zyl,dc=cn": openshift_user rfc2307: groupsQuery: baseDN: "ou=Group,dc=zyl,dc=io" scope: sub derefAliases: never filter: (objectClass=posixGroup) groupUIDAttribute: dn groupNameAttributes: [ cn ] groupMembershipAttributes: [ memberUid ] usersQuery: baseDN: "ou=People,dc=zyl,dc=io" scope: sub derefAliases: never filter: (objectClass=posixAccount) userUIDAttribute: uid userNameAttributes: [ cn ] EOF
執行以下命令同步:
% oc adm groups sync --sync-config=rfc2307_config_user_defined.yaml --confirm group/zyl group/admin group/openshift_user group/openshift_admin
openshift_admin做爲管理員組、openshift_user爲普通用戶組,賦權:
oc adm policy add-cluster-role-to-group cluster-admin openshift_admin oc adm policy add-cluster-role-to-group basic-user openshift_user
登陸用戶:
oc login -uadmin -pchangeme
用戶登陸後,OKD會生成本身的用戶與LDAP對應:
% oc get groups NAME USERS admin admin openshift_admin admin openshift_user zyl zyl zyl % oc get users NAME UID FULL NAME IDENTITIES admin 3c4ae0bf-338c-11e9-b2f8-52540042814f admin ldap_auth:uid=admin,ou=People,dc=zyl,dc=io % oc get identities NAME IDP NAME IDP USER NAME USER NAME USER UID ldap_auth:uid=admin,ou=People,dc=zyl,dc=io ldap_auth uid=admin,ou=People,dc=zyl,dc=io admin 3c4ae0bf-338c-11e9-b2f8-52540042814f