Kubernetes OIDC:没有有效的组映射 [英] Kubernetes OIDC: No valid group mapping
问题描述
我有一个问题,可以通过OIDC登录到仪表板,但是oidc组信息未正确映射,因此我无法访问相应的资源.
I have the problem that I can log on to my dashboard via OIDC, but then the oidc group information is not mapped correctly and I cannot access the corresponding resources.
基本设置
- K8s版本:1.19.0
- K8s设置:1个主节点+ 2个工作节点
- 基于Debian 10 VMs
- CNI:印花棉布
- Louketo代理作为OIDC代理
- OIDC:Keycloak服务器(Keycloak X [Quarkus])
- K8s version: 1.19.0
- K8s setup: 1 master + 2 worker nodes
- Based on Debian 10 VMs
- CNI: Calico
- Louketo Proxy as OIDC proxy
- OIDC: Keycloak Server (Keycloak X [Quarkus])
配置
我已经使用这些参数配置了K8s apiserver.
I have configured the K8s apiserver with these parameters.
kube-apiserver.yaml
- --oidc-issuer-url=https://test.test.com/auth/realms/Test
- --oidc-client-id=test
- --oidc-username-claim=preferred_username
- --oidc-username-prefix="oidc:"
- --oidc-groups-claim=groups
- --oidc-groups-prefix="oidc:"
ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: "test-cluster-admin"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: "Test"
我使用了以下louketo参数
I used the following louketo parameters
Louketo代理
/usr/bin/louketo-proxy --discovery-url=$OIDC_DISCOVERY_URL --client-id=$OIDC_CLIENT_ID --client-secret=$OIDC_CLIENT_SECRET -listen=$OIDC_LISTEN_URL --encryption-key=$OIDC_ENCRYPTION_KEY --redirection-url=$OIDC_REDIRECTION_KEY --enable-refresh-tokens=true --upstream-url=$OIDC_UPSTREAM_URL --enable-metrics
我在仪表板内收到以下错误消息. K8s错误
I get the following error message inside the dashboard. K8s error
replicasets.apps is forbidden: User "\"oidc:\"<user_name>" cannot list resource "replicasets" in API group "apps" in the namespace "default"
希望我能解决这个问题,我已经从互联网上尝试了大多数手册,但是还没有找到解决方案.
I hope you can help me with this problem, I already tried most of the manuals from the internet, but haven't found a solution yet.
PS:我已经在Keycloak服务器中完成了相应的组映射,并且还验证了该组条目已被传输.
PS: I have done the corresponding group mapping in the Keycloak server and also validated that the group entry is transferred.
推荐答案
如果您面临与我相同的挑战,并且想要将Keycloak集成到K8s集群中,共享仪表板并将其连接到Keycloak,则可以找到我的配置如下.在我的集群中,我使用Louketo代理作为Kubernetes和Keycloak之间的接口.部署的相应配置未包含在本文中.
If you are facing the same challenge as I did and you want to integrate Keycloak into your K8s cluster, share the dashboard and connect it to Keycloak, you can find my configuration below. Within my cluster I use the Louketo Proxy as interface between Kubernetes and Keycloak. The corresponding configuration of the deployment is not included in this post.
密钥斗篷
我想从Keycloak的配置开始.在第一步中,我使用以下设置创建了一个相应的客户端.
I want to start with the configuration of Keycloak. In the first step I created a corresponding client with the following settings.
此后,我创建了两个组成员资格和受众(louketo代理需要)映射器.
After that I created the two group membership and audience (needed by the louketo proxy) mappers.
可以从两个图像中获取映射器的确切设置.
The exact settings of the mappers can be taken from the two images.
组成员关系映射
受众群体映射
Kubernetes
第二步,我必须更新api服务器清单,并在Kubernetes集群中创建RoleBinding和ClusterRoleBinding.
In the second step I had to update the api server manifest and create the RoleBinding and ClusterRoleBinding within the Kubernetes cluster.
Api服务器清单 (default path: /etc/kubernetes/manifests/kube-apiserver.yaml)
- --oidc-issuer-url=https://test.test.com/auth/realms/Test
- --oidc-client-id=test
- --oidc-username-claim=preferred_username
- --oidc-username-prefix="oidc:"
- --oidc-groups-claim=groups
- --oidc-groups-prefix="oidc:"
角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "test"
namespace: "kubernetes-dashboard"
subjects:
- kind: User
name: "\"oidc:\"Test"
namespace: "kube-system"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: "test"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: "\"oidc:\"Test"
@Community我希望我可以帮助您进行此配置.如有任何疑问,请随时问我.
这篇关于Kubernetes OIDC:没有有效的组映射的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
