前言
如同Linux操作系統安裝完成後,管理員需為應用創建不同的用户,那麼,K8S/OKD/Openshift集羣同樣也需如此,而在OKD/Openshift集羣裏,我們可集成OpenLDAP目錄系統,方法如下所示。
OpenLDAP安裝
本文使用helm安裝openldap,首先將chars下載下來以方便查看:
git clone https://github.com/helm/charts可選。鏡像可先推送到私有倉庫(PS:測試發現latest鏡像有問題):
docker pull osixia/openldap:1.2.1
docker tag docker.io/osixia/openldap:1.2.1 okd-lr.zyl.io:5001/osixia/openldap:1.2.1
docker push okd-lr.zyl.io:5001/osixia/openldap:1.2.1鏡像以root用户運行(gosudo切換),賦權:
oc new-project auth-openshift
oc adm policy add-scc-to-user anyuid -z default對openldap char參數做定製:
cd charts/stable/openldap
cp values.yaml values_cs.yaml
vi values_cs.yaml
...
env:
# LDAP將創建dc=zyl,dc=io域,組織名稱為Zyl Inc.
LDAP_ORGANISATION: "Zyl Inc."
LDAP_DOMAIN: "zyl.io"
...
# Ldap域管理員(cn=admin,dc=zyl,dc=io)及config管理員(cn=admin,cn=config)密碼
adminPassword: admin
configPassword: config
# 持久化存儲,本例使用已創建好的glusterfs存儲系統,其支持動態提供。
persistence:
enabled: true
storageClass: "glusterfs-app"
accessMode: ReadWriteOnce
size: 8Gi執行helm命令安裝:
helm install --name openldap -f values_cs.yaml .Ldap啓動後,創建了域dc=zyl,dc=io及hdb管理員賬户cn=admin,dc=zyl,dc=io。如下所示,在此域下創建用户與組信息:
% oc rsh deploy/openldap
% cat > users.ldif <<EOF
dn: ou=People,dc=zyl,dc=io
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=zyl,dc=io
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: uid=zyl,ou=People,dc=zyl,dc=io
uid: zyl
cn: zyl
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: changeme
loginShell: /bin/bash
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/zyl
dn: uid=admin,ou=People,dc=zyl,dc=io
uid: admin
cn: admin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: changeme
loginShell: /bin/bash
uidNumber: 5001
gidNumber: 5001
homeDirectory: /home/admin
dn: cn=zyl,ou=Group,dc=zyl,dc=io
cn: zyl
objectClass: top
objectClass: posixGroup
gidNumber: 5000
memberUid: zyl
dn: cn=admin,ou=Group,dc=zyl,dc=io
cn: admin
objectClass: top
objectClass: posixGroup
gidNumber: 5001
memberUid: admin
dn: cn=openshift_user,ou=Group,dc=zyl,dc=io
cn: openshift_user
objectClass: top
objectClass: posixGroup
gidNumber: 6000
memberUid: zyl
dn: cn=openshift_admin,ou=Group,dc=zyl,dc=io
cn: openshift_admin
objectClass: top
objectClass: posixGroup
gidNumber: 6001
memberUid: admin
EOF
% ldapadd -x -w $LDAP_ADMIN_PASSWORD -D "cn=admin,dc=zyl,dc=io" -H ldapi:/// -f users.ldif
% ldapsearch -x -D "cn=admin,dc=zyl,dc=io" -w $LDAP_ADMIN_PASSWORD \
-b dc=zyl,dc=io
# 可使用config管理員檢查ldap config配置
% ldapsearch -x -D "cn=admin,cn=config" -w $LDAP_CONFIG_PASSWORD \
-b cn=config "olcDatabase=config"配置Master使用Ldap認證
OKD初始安裝時若未配置openshift_master_identity_providers,則OKD默認使用如下認證,此認證方式允許任何用户登錄集羣。
% vi /etc/origin/master/master-config.yaml
...
oauthConfig:
...
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: allow_all
provider:
apiVersion: v1
kind: AllowAllPasswordIdentityProvider
...將所有Master配置的如下段刪除:
- challenge: true
login: true
mappingMethod: claim
name: allow_all
provider:
apiVersion: v1
kind: AllowAllPasswordIdentityProvider替換為如下段:
- challenge: true
login: true
mappingMethod: claim
name: ldap_auth
provider:
apiVersion: v1
attributes:
email:
- mail
id:
- dn
name:
- cn
preferredUsername:
- uid
bindDN: cn=admin,dc=zyl,dc=io
bindPassword: admin
insecure: true
kind: LDAPPasswordIdentityProvider
url: ldap://openldap.auth-openshift.svc.cluster.local./ou=People,dc=zyl,dc=io?uid注意:若啓用TLS,即insecure: false,則需提供OpenLDAP的證書,如添加ca: my-ldap-ca.crt,而後將證書拷貝到Master上:/etc/origin/master/my-ldap-ca.crt。
Ansible配置文件中的OSEv3.yaml加入以下段,避免升級時被還原回去。
##### Auth
openshift_master_identity_providers:
- name: ldap_auth
challenge: true
login: true
kind: LDAPPasswordIdentityProvider
bindDN: cn=admin,dc=zyl,dc=io
bindPassword: admin
url: ldap://openldap.auth-openshift.svc.cluster.local./ou=People,dc=zyl,dc=io?uid
attributes:
id: ['dn']
email: ['mail']
name: ['cn']
preferredUsername: ['uid']
insecure: true而後分別重啓Master節點:
master-restart api
master-restart controllers
oc get pod -n kube-system
master-logs api api # 查看日誌
master-logs controllers controllers同步LDAP組信息到OKD上
創建如下文件:
cat > rfc2307_config_user_defined.yaml <<EOF
---
kind: LDAPSyncConfig
apiVersion: v1
bindDN: cn=admin,dc=zyl,dc=io
bindPassword: admin
insecure: true
url: ldap://openldap.auth-openshift.svc.cluster.local
groupUIDNameMapping:
"cn=openshift_admin,ou=Group,dc=zyl,dc=cn": openshift_admin
"cn=openshift_user,ou=Group,dc=zyl,dc=cn": openshift_user
rfc2307:
groupsQuery:
baseDN: "ou=Group,dc=zyl,dc=io"
scope: sub
derefAliases: never
filter: (objectClass=posixGroup)
groupUIDAttribute: dn
groupNameAttributes: [ cn ]
groupMembershipAttributes: [ memberUid ]
usersQuery:
baseDN: "ou=People,dc=zyl,dc=io"
scope: sub
derefAliases: never
filter: (objectClass=posixAccount)
userUIDAttribute: uid
userNameAttributes: [ cn ]
EOF執行如下命令同步:
% oc adm groups sync --sync-config=rfc2307_config_user_defined.yaml --confirm
group/zyl
group/admin
group/openshift_user
group/openshift_adminopenshift_admin作為管理員組、openshift_user為普通用户組,賦權:
oc adm policy add-cluster-role-to-group cluster-admin openshift_admin
oc adm policy add-cluster-role-to-group basic-user openshift_user登錄用户:
oc login -uadmin -pchangeme用户登錄後,OKD會生成自己的用户與LDAP對應:
% oc get groups
NAME USERS
admin admin
openshift_admin admin
openshift_user zyl
zyl zyl
% oc get users
NAME UID FULL NAME IDENTITIES
admin 3c4ae0bf-338c-11e9-b2f8-52540042814f admin ldap_auth:uid=admin,ou=People,dc=zyl,dc=io
% oc get identities
NAME IDP NAME IDP USER NAME USER NAME USER UID
ldap_auth:uid=admin,ou=People,dc=zyl,dc=io ldap_auth uid=admin,ou=People,dc=zyl,dc=io admin 3c4ae0bf-338c-11e9-b2f8-52540042814f參考文檔
- OpenLDAP Helm Chart:https://github.com/helm/chart...;
- osixia/openldap:https://github.com/osixia/doc...;
