KubeSphere-048-外部系统(LDAP_OAuth2)集成实践
External System (LDAP_OAuth2) Integration Practice
目录
1. 基础概念
1.1 LDAP概述
LDAP(Lightweight Directory Access Protocol,轻量级目录访问协议)是一种用于访问和维护分布式目录信息服务的协议。LDAP常用于:
- 用户认证:集中管理用户账户和密码
- 用户授权:基于LDAP组进行权限管理
- 用户信息管理:集中管理用户信息
- 单点登录:实现企业级单点登录
1.2 OAuth2概述
OAuth2(Open Authorization 2.0)是一个授权框架,允许第三方应用程序在用户授权下访问用户资源。OAuth2常用于:
- 第三方登录:使用第三方账号登录
- API授权:授权第三方应用访问API
- 单点登录:实现跨应用单点登录
- 令牌管理:管理访问令牌和刷新令牌
1.3 KubeSphere身份认证
KubeSphere支持多种身份认证方式: 风哥提示: 学习交流加群风哥微信: itpux-com 学习交流加群风哥QQ113257174 更多视频教程www.fgedu.net.cn 更多学习教程公众号风哥教程itpux_com from K8S+DB视频:www.itpux.com
| 认证方式 | 描述 | 适用场景 |
|---|---|---|
| 本地用户 | 使用KubeSphere本地用户数据库 | 小型环境 |
| LDAP | 集成企业LDAP服务器 | 企业环境 |
| OAuth2 | 集成OAuth2认证服务器 | 第三方集成 |
| SAML | 集成SAML身份提供商 | 企业环境 |
2. 生产环境规划
2.1 LDAP集成规划
2.1.1 LDAP服务器配置
# – LDAP服务器地址:ldap.example.com
# – LDAP端口:389(非加密)或636(加密)
# – 基础DN:dc=example,dc=com
# – 用户DN:ou=users,dc=example,dc=com
# – 组DN:ou=groups,dc=example,dc=com
2.1.2 LDAP用户映射
# – 用户名属性:uid
# – 邮箱属性:mail
# – 显示名称属性:cn
# – 组成员属性:memberUid
2.2 OAuth2集成规划
2.2.1 OAuth2服务器配置
# – OAuth2服务器地址:https://oauth.example.com
# – 客户端ID:kubesphere-client
# – 客户端密钥:kubesphere-secret
# – 授权端点:https://oauth.example.com/oauth/authorize
# – 令牌端点:https://oauth.example.com/oauth/token
# – 用户信息端点:https://oauth.example.com/userinfo
2.2.2 OAuth2权限映射
# – 管理员角色:admin
# – 开发者角色:developer
# – 只读角色:viewer
# – 审计员角色:auditor
2.3 安全规划
2.3.1 传输安全
# – 使用LDAPS加密LDAP连接
# – 使用HTTPS加密OAuth2连接
# – 验证服务器证书
2.3.2 访问控制
# – 配置IP白名单
# – 配置访问频率限制
# – 配置会话超时
3. 实施步骤
3.1 部署LDAP服务器
3.1.1 部署OpenLDAP
cat <<EOF | kubectl apply -f –
apiVersion: apps/v1
kind: Deployment
metadata:
name: openldap
namespace: kubesphere-system
spec:
replicas: 1
selector:
matchLabels:
app: openldap
template:
metadata:
labels:
app: openldap
spec:
containers:
– name: openldap
image: osixia/openldap:1.5.0
ports:
– containerPort: 389
– containerPort: 636
env:
– name: LDAP_DOMAIN
value: “example.com”
– name: LDAP_ORGANISATION
value: “Example Inc.”
– name: LDAP_ADMIN_PASSWORD
value: “admin123”
volumeMounts:
– name: ldap-data
mountPath: /var/lib/ldap
– name: ldap-config
mountPath: /etc/ldap/slapd.d
volumes:
– name: ldap-data
persistentVolumeClaim:
claimName: ldap-data-pvc
– name: ldap-config
persistentVolumeClaim:
claimName: ldap-config-pvc
—
apiVersion: v1
kind: Service
metadata:
name: openldap
namespace: kubesphere-system
spec:
selector:
app: openldap
ports:
– name: ldap
port: 389
targetPort: 389
– name: ldaps
port: 636
targetPort: 636
—
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ldap-data-pvc
namespace: kubesphere-system
spec:
accessModes:
– ReadWriteOnce
resources:
requests:
storage: 10Gi
—
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ldap-config-pvc
namespace: kubesphere-system
spec:
,
accessModes:
– ReadWriteOnce
resources:
requests:
storage: 1Gi
EOF
deployment.apps/openldap created
service/openldap created
persistentvolumeclaim/ldap-data-pvc created
persistentvolumeclaim/ldap-config-pvc created
# 查看OpenLDAP状态
kubectl get pods -n kubesphere-system -l app=openldap
NAME READY STATUS RESTARTS AGE
openldap-7d6f8b9c5d-abc123 1/1 Running 0 1m
3.1.2 创建LDAP用户和组
cat <<EOF | kubectl exec -n kubesphere-system deployment/openldap — ldapadd -x -D “cn=admin,dc=example,dc=com” -w admin123
# 创建组织单元
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
# 创建组
dn: cn=admins,ou=groups,dc=example,dc=com
objectClass: groupOfNames
cn: admins
member: cn=admin,dc=example,dc=com
dn: cn=developers,ou=groups,dc=example,dc=com
objectClass: groupOfNames
cn: developers
member: cn=admin,dc=example,dc=com
# 创建用户
dn: uid=zhangsan,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
uid: zhangsan
cn: 张三
sn: 张
mail: zhangsan@example.com
userPassword: zhangsan123
dn: uid=lisi,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
uid: lisi
cn: 李四
sn: 李
mail: lisi@example.com
userPassword: lisi123
EOF
adding new entry “ou=users,dc=example,dc=com”
adding new entry “ou=groups,dc=example,dc=com”
adding new entry “cn=admins,ou=groups,dc=example,dc=com”
adding new entry “cn=developers,ou=groups,dc=example,dc=com”
adding new entry “uid=zhangsan,ou=users,dc=example,dc=com”
adding new entry “uid=lisi,ou=users,dc=example,dc=com”
3.2 配置LDAP集成
3.2.1 配置KubeSphere LDAP
cat <<EOF | kubectl apply -f –
apiVersion: config.ks.kubesphere.io/v1alpha1
kind: Authentication
metadata:
name: authentication
namespace: kubesphere-system
spec:
authenticateRateLimiterMaxTries: 10
authenticateRateLimiterDuration: 10m
loginHistoryRetentionPeriod: 7d
maximumRetentionPeriodOfLoginHistory: 30d
multipleLogin: true
oauthOptions: {}
kubectlAdminUser: admin
jwtSecret: “jwt-secret-1234567890”
ldapOptions:
host: openldap.kubesphere-system.svc
port: 389
managerDN: “cn=admin,dc=example,dc=com”
managerPassword: “admin123”
userSearchBase: “ou=users,dc=example,dc=com”
userSearchFilter: “(uid=%s)”
groupSearchBase: “ou=groups,dc=example,dc=com”
groupSearchFilter: “(&(objectClass=groupOfNames)(member=%s))”
EOF
authentication.config.ks.kubesphere.io/authentication configured
# 重启KS-APIServer
kubectl rollout restart deployment ks-apiserver -n kubesphere-system
deployment.apps/ks-apiserver restarted
3.2.2 测试LDAP登录
# 在KubeSphere控制台使用LDAP用户登录
# 用户名:zhangsan
# 密码:zhangsan123
# 验证用户
kubectl get users -A | grep zhangsan
kubesphere-system zhangsan zhangsan@example.com Active
3.3 配置OAuth2集成
3.3.1 部署OAuth2服务器
cat <<EOF | kubectl apply -f –
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
namespace: kubesphere-system
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
– name: keycloak
image: quay.io/keycloak/keycloak:23.0
ports:
– containerPort: 8080
env:
– name: KEYCLOAK_ADMIN
value: “admin”
– name: KEYCLOAK_ADMIN_PASSWORD
value: “admin123”
– name: KC_DB
value: “postgres”
– name: KC_DB_URL
value: “jdbc:postgresql://postgres:5432/keycloak”
– name: KC_DB_USERNAME
value: “keycloak”
– name: KC_DB_PASSWORD
value: “keycloak123”
– name: KC_HOSTNAME
value: “keycloak.example.com”
– name: KC_HOSTNAME_STRICT
value: “false”
– name: KC_HOSTNAME_STRICT_HTTPS
value: “false”
– name: KC_HTTP_ENABLED
value: “true”
command:
– /opt/keycloak/bin/kc.sh
– start-dev
—
apiVersion: v1
kind: Service
metadata:
name: keycloak
namespace: kubesphere-system
spec:
selector:
app: keycloak
ports:
– port: 8080
targetPort: 8080
—
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres
namespace: kubesphere-system
spec:
replicas: 1
selector:
matchLabels:
app: postgres
template:
metadata:
labels:
app: postgres
spec:
containers:
– name: postgres
image: postgres:15
ports:
– containerPort: 5432
env:
– name: POSTGRES_DB
value: “keycloak”
– name: POSTGRES_USER
value: “keycloak”
– name: POSTGRES_PASSWORD
value: “keycloak123”
volumeMounts:
– name: postgres-data
mountPath: /var/lib/postgresql/data
volumes:
– name: postgres-data
persistentVolumeClaim:
claimName: postgres-pvc
—
,
apiVersion: v1
kind: Service
metadata:
name: postgres
namespace: kubesphere-system
spec:
selector:
app: postgres
ports:
– port: 5432
targetPort: 5432
—
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: postgres-pvc
namespace: kubesphere-system
spec:
accessModes:
– ReadWriteOnce
resources:
requests:
storage: 10Gi
EOF
deployment.apps/keycloak created
service/keycloak created
deployment.apps/postgres created
service/postgres created
persistentvolumeclaim/postgres-pvc created
# 查看Keycloak状态
kubectl get pods -n kubesphere-system -l app=keycloak
NAME READY STATUS RESTARTS AGE
keycloak-7d6f8b9c5d-abc123 1/1 Running 0 1m
3.3.2 配置Keycloak
kubectl port-forward -n kubesphere-system svc/keycloak 8080:8080
Forwarding from 127.0.0.1:8080 -> 8080
Forwarding from [::1]:8080 -> 8080
# 访问http://localhost:8080
# 使用管理员账号登录
# 用户名:admin
# 密码:admin123
# 创建Realm
# 1. 点击”Add realm”
# 2. 输入Realm名称:kubesphere
# 3. 点击”Create”
# 创建Client
# 1. 点击”Clients”
# 2. 点击”Create client”
# 3. 输入Client ID:kubesphere
# 4. Client authentication: ON
# 5. 点击”Save”
# 6. 在Credentials标签页复制Client secret
# 创建用户
# 1. 点击”Users”
# 2. 点击”Add user”
# 3. 输入用户名:wangwu
# 4. 点击”Save”
# 5. 在Credentials标签页设置密码
3.3.3 配置KubeSphere OAuth2
cat <<EOF | kubectl apply -f –
apiVersion: config.ks.kubesphere.io/v1alpha1
kind: Authentication
metadata:
name: authentication
namespace: kubesphere-system
spec:
authenticateRateLimiterMaxTries: 10
authenticateRateLimiterDuration: 10m
loginHistoryRetentionPeriod: 7d
maximumRetentionPeriodOfLoginHistory: 30d
multipleLogin: true
oauthOptions:
identityProviders:
– name: keycloak
type: OIDCIdentityProvider
mappingMethod: auto
provider:
clientID: “kubesphere”
clientSecret: “your-client-secret”
issuer: “http://keycloak.kubesphere-system.svc:8080/realms/kubesphere”
redirectURL: “http://console.kubesphere.io/oauth/callback”
scopes:
– openid
– profile
– groups
kubectlAdminUser: admin
jwtSecret: “jwt-secret-1234567890”
ldapOptions:
host: openldap.kubesphere-system.svc
port: 389
managerDN: “cn=admin,dc=example,dc=com”
managerPassword: “admin123”
,
userSearchBase: “ou=users,dc=example,dc=com”
userSearchFilter: “(uid=%s)”
groupSearchBase: “ou=groups,dc=example,dc=com”
groupSearchFilter: “(&(objectClass=groupOfNames)(member=%s))”
EOF
authentication.config.ks.kubesphere.io/authentication configured
# 重启KS-APIServer
kubectl rollout restart deployment ks-apiserver -n kubesphere-system
deployment.apps/ks-apiserver restarted
4. 实战案例
4.1 LDAP集成实战
4.1.1 创建LDAP用户
cat <<EOF | kubectl exec -n kubesphere-system deployment/openldap — ldapadd -x -D “cn=admin,dc=example,dc=com” -w admin123
dn: uid=wangwu,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
uid: wangwu
cn: 王五
sn: 王
mail: wangwu@example.com
userPassword: wangwu123
dn: uid=zhaoliu,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
uid: zhaoliu
cn: 赵六
sn: 赵
mail: zhaoliu@example.com
userPassword: zhaoliu123
EOF
adding new entry “uid=wangwu,ou=users,dc=example,dc=com”
adding new entry “uid=zhaoliu,ou=users,dc=example,dc=com”
# 将用户添加到组
cat <<EOF | kubectl exec -n kubesphere-system deployment/openldap — ldapmodify -x -D “cn=admin,dc=example,dc=com” -w admin123
dn: cn=admins,ou=groups,dc=example,dc=com
changetype: modify
add: member
member: uid=zhangsan,ou=users,dc=example,dc=com
dn: cn=developers,ou=groups,dc=example,dc=com
changetype: modify
add: member
member: uid=lisi,ou=users,dc=example,dc=com
member: uid=wangwu,ou=users,dc=example,dc=com
member: uid=zhaoliu,ou=users,dc=example,dc=com
EOF
modifying entry “cn=admins,ou=groups,dc=example,dc=com”
modifying entry “cn=developers,ou=groups,dc=example,dc=com”
4.1.2 配置角色映射
cat <<EOF | kubectl apply -f –
apiVersion: iam.kubesphere.io/v1alpha2
kind: RoleBinding
metadata:
name: ldap-admins-admin
namespace: kubesphere-devops-system
subjects:
– kind: User
name: zhangsan
roleRef:
kind: ClusterRole
name: cluster-admin
—
apiVersion: iam.kubesphere.io/v1alpha2
kind: RoleBinding
metadata:
name: ldap-developers-developer
namespace: kubesphere-devops-system
subjects:
– kind: User
name: lisi
– kind: User
name: wangwu
– kind: User
name: zhaoliu
roleRef:
kind: ClusterRole
name: developer
EOF
rolebinding.iam.kubesphere.io/ldap-admins-admin created
rolebinding.iam.kubesphere.io/ldap-developers-developer created
4.2 OAuth2集成实战
4.2.1 测试OAuth2登录
# 在KubeSphere控制台点击”Login with Keycloak”
# 使用Keycloak用户登录
# 用户名:wangwu
# 密码:wangwu123
# 验证用户
kubectl get users -A | grep wangwu
kubesphere-system wangwu wangwu@example.com Active
4.2.2 配置OAuth2权限
cat <<EOF | kubectl apply -f –
apiVersion: iam.kubesphere.io/v1alpha2
kind: RoleBinding
metadata:
name: oauth2-admins-admin
namespace: kubesphere-devops-system
subjects:
– kind: User
name: wangwu
roleRef:
kind: ClusterRole
name: cluster-admin
EOF
rolebinding.iam.kubesphere.io/oauth2-admins-admin created
5. 经验总结
5.1 最佳实践
5.1.1 LDAP集成最佳实践
- 安全连接:使用LDAPS加密LDAP连接
- 权限最小化:为LDAP配置最小权限账户
- 缓存优化:配置LDAP缓存减少查询次数
- 故障转移:配置多个LDAP服务器实现高可用
- 日志审计:启用LDAP日志审计
5.1.2 OAuth2集成最佳实践
- HTTPS加密:使用HTTPS加密OAuth2连接
- 令牌管理:合理配置令牌过期时间
- 作用域限制:限制OAuth2作用域
- 回调URL:配置正确的回调URL
- 密钥管理:安全存储OAuth2密钥
5.2 常见问题
5.2.1 LDAP问题
- 问题1:LDAP连接失败
- 解决方案:检查LDAP服务器地址和端口
- 问题2:LDAP认证失败
- 解决方案:检查用户DN和密码
- 问题3:LDAP用户无法登录
- 解决方案:检查用户搜索过滤器和权限
5.2.2 OAuth2问题
- 问题1:OAuth2授权失败
- 解决方案:检查客户端ID和密钥
- 问题2:OAuth2回调失败
- 解决方案:检查回调URL配置
- 问题3:OAuth2令牌无效
- 解决方案:检查令牌过期时间
5.3 安全建议
5.3.1 传输安全
- 加密传输:使用LDAPS和HTTPS加密传输
- 证书验证:验证服务器证书
- 网络隔离:隔离认证网络
- 防火墙规则:配置防火墙规则限制访问
5.3.2 访问控制
- 最小权限:遵循最小权限原则
- 权限隔离:隔离不同用户的权限
- 定期审计:定期审计用户权限
- 密码策略:配置强密码策略
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
联系我们
在线咨询:
微信号:itpux-com
工作日:9:30-18:30,节假日休息
