利用Keycloak实现Kubernetes单点登录与权限验证（SSO,OIDC,RBAC）

本文将详细介绍如何利用Keycloak配置Kubernetes登录验证，以及RBAC管理。
本文全部为测试环境工具。
流程示意

image.png

配置Keycloak

安装配置

生产环境不建议使用docker直接部署Keycloak。如果使用nginx需要将PROXY_ADDRESS_FORWARDING配置成true.

sudo docker run -e KEYCLOAK_USER=wanglei -e KEYCLOAK_PASSWORD=your_password -e PROXY_ADDRESS_FORWARDING=true -p 8081:8080 -d jboss/keycloak

配置nginx

将server_name配置成你的域名,代理Keycloak端口，注意上面PROXY_ADDRESS_FORWARDING=true

server {
    listen 80;
    server_name key.wanglei.me;

    location / {
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   Host      $http_host;
        proxy_pass         http://localhost:8081;
    }
}

在Clients中创建kubernetes

设置Client ID为kubernetes，Client Protocol选择openid-connect即OIDC协议。

image.png

设置Client

将Access Type设置为confidential, Valid Redirect URIs根据需要设置，本文后面用到kubelogin,需要设置为http://localhost:8000

image.png

记录Client Secret

在Credentials中找到Secret，后面需要用到。

image.png

新建Mapper

选择Mapper Type为User Attribute,选择Claim JSON Type为String,下面开关一律选on(可根据需求更改)。此处Token Claim Name字段设置为groups,后面配置kube-apiserver会用到。

image.png

为User添加Attribute

添加key groups, value admin,然后点击add，再save。

image.png

配置kubernetes

此处使用kind(kubernetes in docker) https://github.com/kubernetes-sigs/kind#installation-and-usage 为例。
安装kind（mac 为例）

brew install kind

配置kube-apiserver

config.yaml

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
kubeadmConfigPatches:
- |
  kind: ClusterConfiguration
  metadata:
    name: config
  apiServer:
    extraArgs:
      oidc-issuer-url: "https://key.wanglei.me/auth/realms/master"
      oidc-client-id: "kubernetes"
      oidc-username-claim: "preferred_username"
      oidc-username-prefix: "-"
      oidc-groups-claim: "groups"

创建本地kubernetes集群。

kind create cluster --config=./config.yaml

查看apiserver log

kubectl logs -n kube-system --tail=10 -f kube-apiserver-kind-control-plane

配置RBAC

RBAC介绍https://kubernetes.io/docs/reference/access-authn-authz/rbac/

创建一个ClusterRoleBinding, 文中使用系统自带的cluster-admin为例，也可以创建符合要求的role。
创建cluster-role-binding.yaml

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: keycloak-admin-group
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: Group
  name: admin
  apiGroup: rbac.authorization.k8s.io

kubectl apply

kubectl apply -f cluster-role-binding.yaml

配置kubeconfig

安装kubelogin，https://github.com/int128/kubelogin

brew install int128/kubelogin/kubelogin

kubelogin示意图

image.png

编辑 ~/.kube/config,里面为kind生成的配置，添加一个名为oidc的user，并配置到kind-kind的context

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://localhost:6443
  name: docker-for-desktop-cluster
- cluster:
    certificate-authority-data: ...
    server: https://127.0.0.1:32773
  name: kind-kind
contexts:
- context:
    cluster: docker-for-desktop-cluster
    user: docker-for-desktop
  name: docker-for-desktop
- context:
    cluster: kind-kind
    user: oidc
  name: kind-kind
current-context: kind-kind
kind: Config
preferences: {}
users:
- name: docker-for-desktop
  user:
    client-certificate-data: ...
    client-key-data: ...
- name: kind-kind
  user:
    client-certificate-data: ...
    client-key-data: ...
- name: oidc
  user:
    auth-provider:
      config:
        client-id: kubernetes
        client-secret: your-secret
        idp-issuer-url: https://key.wanglei.me/auth/realms/master
      name: oidc

运行kubelogin,出现如下提示即登录成功。

image.png

试一下

image.png

此时再看~/.kube/config,可以看到多了两行id-token和refresh-token

- name: oidc
  user:
    auth-provider:
      config:
        client-id: kubernetes
        client-secret: 50cc10ed-1859-4042-9305-c913470ac6e2
        id-token: ...
        idp-issuer-url: https://key.wanglei.me/auth/realms/master
        refresh-token: ...
      name: oidc

其中id-token可以解析为如下json

image.png

同理，如需要多种权限验证皆可以通过RBAC和Keycloak很好的实现。
参考：
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
https://octopus.com/blog/kubernetes-oauth
https://kind.sigs.k8s.io/docs/user/quick-start/#enable-feature-gates-in-your-cluster
https://github.com/int128/kubelogin/blob/master/docs/setup.md#keycloak
https://blog.hdls.me/15647317755993.html