ActiveDirectory authorization to Kubernetes with Keycloak
In this article I will tell you how to install and configure:
- Keycloak is an open source project. Which provides a single entry point for applications. It works with many protocols, including the LDAP and OpenID that interest us.
- Keycloak gatekeeper – reverse proxy application that allows you to integrate authorization through Keycloak.
- Gangway – the application that generates a config for kubectl with which you can log in and use OpenID to connect to the Kubernetes API.
How work rights in Kubernetes
We can manage user / group rights using RBAC, a lot of articles have already been created about this, I will not dwell on this in detail. The problem is that you can use RBAC to restrict user rights, but Kubernetes doesn’t know anything about users. It turns out that you need a user delivery mechanism in Kubernetes. To do this, we will add an OpenID provider to Kuberntes, which will say that such a user really exists, and Kubernetes itself will give rights to it.
Training
- You will need a Kubernetes cluster or minikube
- Active Directory
- Domains: keycloak.example.org, kubernetes-dashboard.example.or, gangway.example.org
- Certificate for domains or self-signed certificate
I will not dwell on how to create a self-signed certificate, you need to create 2 certificates, this is the root (Certificate Authority) and wildcard client for the * .example.org domain
After you receive / write out the certificates, the client must be added to Kubernetes, for this we create a secret for it:
|
1 |
kubectl create secret tls tls-keycloak --cert=example.org.crt --key=example.org.pe |
Next we will use it for our Ingress controller
Install Keycloak
I decided that the easiest way to use ready-made solutions for this, namely helm chart-s.
Install the repository and update it:
|
1 2 |
helm repo add codecentric https://codecentric.github.io/helm-charts helm repo update |
Create the keycloak.yml file with the following contents:
Federation setup
Next, go to the web interface keycloak.example.org
In the left corner, click Add realm
Disable verification of user email confirmation:
Client scopes -> Email -> Mappers -> Email verified (Delete)
We are setting up a federation for importing users from ActiveDirectory.
User federation -> Add provider … -> ldap
If all is well, then after clicking the Synchronize all users button, you will receive a message about the successful import of users.
Next, we need to map our groups
User federation -> ldap_localhost -> Mappers -> Create
Client setup
It is necessary to create a client, in terms of Keycloak it is an application that will be authorized by it. I will highlight the important points in the screenshot in red.
Clients -> Create
Create a scoupe for the groups:
Client Scopes -> Create
And configure mapper for them:
Client Scopes -> groups -> Mappers -> Create
Add the mapping of our groups to Default Client Scopes:
Clients -> kubernetes -> Client Scopes -> Default Client Scopes
Select groups in Available Client Scopes, click Add selected
We get the secret (and write it to the thread) that we will use for authorization in Keycloak:
Clients -> kubernetes -> Credentials -> Secret
This is the end of the setup.
Configure Kubernetes
We need to indicate where our root certificate from the site is, and where the OIDC provider is located.
To do this, edit the file /etc/kubernetes/manifests/kube-apiserver.yaml
Update kubeadm config in the cluster:
|
1 |
kubectl edit -n kube-system configmaps kubeadm-config |
|
1 2 3 4 5 6 7 8 9 10 11 |
... data: ClusterConfiguration: | apiServer: extraArgs: oidc-ca-file: /var/lib/minikube/certs/My_Root.crt oidc-client-id: kubernetes oidc-groups-claim: groups oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes oidc-username-claim: email ... |
Configure auth-proxy
You can use keycloak gatekeeper to protect your web application. In addition to the fact that this reverse proxy will authorize the user before showing the page, so it will also transmit information about you in the headers to the final application. Thus, if your application supports OpenID, then the user immediately logs in. Let’s look at the example of Kubernetes Dashboard
Install Kubernetes Dashboard
|
1 |
helm install stable/kubernetes-dashboard --name dashboard -f values_dashboard.yaml |
Setting permissions:
Create a ClusterRoleBinding that will give cluster admin rights (standard ClusterRole cluster-admin) for users in the DataOPS group.
|
1 |
kubectl apply -f rbac.yaml |
Install keycloak gatekeeper:
|
1 |
helm repo add gabibbo97 https://gabibbo97.github.io/charts/ helm repo update helm install gabibbo97/keycloak-gatekeeper --version 2.1.0 --name keycloak-gatekeeper -f values_proxy.yaml |
After that, when you try to go to kubernetes-dashboard.example.org, you will be redirected to Keycloak and, if authorization is successful, we will already be logged into Dashboard.
Gangway installation
For convenience, you can add gangway which will generate a config file for kubectl, with which we will already get into Kubernetes under our user.
|
1 |
helm install --name gangway stable/gangway -f values_gangway.yaml |
This allows you to immediately download the config file and create it using a set of commands.
This website was… how do you say it? Relevant!! Finally I’ve found something that helped me.
Thanks!
Like!! I blog quite often and I genuinely thank you for your information. The article has truly peaked my interest.