仓库源文站点原文


layout: post title: k8s 設定 ldap 登入 date: 2021-01-07 10:47 +0800

categories: k8s

dex

先安裝dex作為認證方式

helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm pull gabibbo97/dex
tar xf ...
...
cp values.yaml values-prod.yaml

修改 values-prod.yaml 以下為有修改的部分

ingress:
    enabled: true
    hosts: dex.example.com
    tls: <這邊我用wildcard cert 省略>

connectors:
  - type: ldap
    id: ldap
    name: LDAP
    config:
      host: <LDAP server IP>:389
      insecureNoSSL: true
      insecureSkipVerify: true
      bindDN: cn=admin,dc=skymirror,dc=com,dc=tw
      bindPW: <Password>
      userSearch:
        baseDN: ou=users,dc=skymirror,dc=com,dc=tw
        username: uid
        idAttr: uid
        emailAttr: mail
        nameAttr: uid

staticClients:
  - id: dex-k8s-authenticator
    name: dex-k8s-authenticator
    redirectURIs:
    - 'https://login.example.com/callback/'
    secret: KwqJbmSYZpQKwqJbmSYZpQKwqJbmSYZpQ <自行修改的random phrase>
helm install -n auth dex -f values.yaml -f values-prod.yaml .

確認 dex pod 是否 ready

authenticator

git clone https://github.com/mintel/dex-k8s-authenticator.git

一樣修改一份自定的 values-prod.yaml

這裡我設定了IP白名單,只能從內網IP登入

dexK8sAuthenticator:
  port: 5555
  debug: false
  web_path_prefix: /
  clusters:
  - name: kubernetes
    short_description: "kubernetes"
    description: "kubernetes"
    client_secret: <跟dex的staticClients[0].secret一樣>
    issuer: https://dex.example.com
    k8s_master_uri: https://10.168.100.100:8443
    client_id: dex-k8s-authenticator
    redirect_uri: https://login.example.com/callback/
    k8s_ca_pem: |
      -----BEGIN CERTIFICATE-----
      <你的cluster ca cert>
      -----END CERTIFICATE-----

ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: "10.168.0.0/16,192.168.60.0/24"
  path: /
  hosts:
    - login.example.com
  tls:
    - secretName: wildcard-example-com-tls
      hosts:
        - login.example.com
helm install -n auth k8s-auther -f values.yaml -f values-prod.yaml .