layout: post title: k8s 設定 ldap 登入 date: 2021-01-07 10:47 +0800
先安裝dex作為認證方式
helm repo add gabibbo97 https://gabibbo97.github.io/charts/
helm pull gabibbo97/dex
tar xf ...
...
cp values.yaml values-prod.yaml
修改 values-prod.yaml 以下為有修改的部分
ingress:
enabled: true
hosts: dex.example.com
tls: <這邊我用wildcard cert 省略>
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: <LDAP server IP>:389
insecureNoSSL: true
insecureSkipVerify: true
bindDN: cn=admin,dc=skymirror,dc=com,dc=tw
bindPW: <Password>
userSearch:
baseDN: ou=users,dc=skymirror,dc=com,dc=tw
username: uid
idAttr: uid
emailAttr: mail
nameAttr: uid
staticClients:
- id: dex-k8s-authenticator
name: dex-k8s-authenticator
redirectURIs:
- 'https://login.example.com/callback/'
secret: KwqJbmSYZpQKwqJbmSYZpQKwqJbmSYZpQ <自行修改的random phrase>
helm install -n auth dex -f values.yaml -f values-prod.yaml .
確認 dex pod 是否 ready
git clone https://github.com/mintel/dex-k8s-authenticator.git
一樣修改一份自定的 values-prod.yaml
這裡我設定了IP白名單,只能從內網IP登入
dexK8sAuthenticator:
port: 5555
debug: false
web_path_prefix: /
clusters:
- name: kubernetes
short_description: "kubernetes"
description: "kubernetes"
client_secret: <跟dex的staticClients[0].secret一樣>
issuer: https://dex.example.com
k8s_master_uri: https://10.168.100.100:8443
client_id: dex-k8s-authenticator
redirect_uri: https://login.example.com/callback/
k8s_ca_pem: |
-----BEGIN CERTIFICATE-----
<你的cluster ca cert>
-----END CERTIFICATE-----
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: "10.168.0.0/16,192.168.60.0/24"
path: /
hosts:
- login.example.com
tls:
- secretName: wildcard-example-com-tls
hosts:
- login.example.com
helm install -n auth k8s-auther -f values.yaml -f values-prod.yaml .