1,基本概念

  • 为了方便管理和集成jenkins,k8s、harbor、jenkins均使用openLDAP统一认证。

2,部署openLDAP

  • 根据之前的文档,openLDAP使用GFS进行数据持久化。
  • 下载对应的openLDAP文件
git clone https://github.com/xiaoqshuo/k8s-cluster.git

2.1 创建openLDAP

[root@k8s-master01 k8s-cluster]# kubectl apply -f openldap/
deployment.extensions/ldap created
persistentvolumeclaim/openldap-data created
secret/ldap-secret created
service/ldap-service created
deployment.extensions/phpldapadmin created
service/phpldapadmin created
  • 此处参考的是:https://github.com/osixia/docker-openldap,更新DN可以更改environment下的yaml文件,默认的example.org

2.2 创建ldap-ui-ingress

[root@k8s-master01 openldap]# kubectl create -f traefik-ldap.yaml 
ingress.extensions/ldap-ui created

[root@k8s-master01 openldap]# cat traefik-ldap.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ldap-ui
  namespace: public-service
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: ldap.k8s.net
    http:
      paths:
      - backend:
          serviceName: phpldapadmin
          servicePort: 8080

3, 查看验证

[root@k8s-master01 openldap]# kubectl get po,svc,pvc -n public-service | grep ldap
pod/ldap-6c9fcc7446-r52r7          1/1     Running   0          4m19s
pod/phpldapadmin-6784bf8db-gxqw2   1/1     Running   0          4m16s

service/glusterfs-dynamic-openldap-data   ClusterIP   10.96.177.154    <none>        1/TCP                            3m29s
service/ldap-service                      ClusterIP   10.111.36.109    <none>        389/TCP,636/TCP                  4m16s
service/phpldapadmin                      ClusterIP   10.103.142.162   <none>        8080/TCP                         4m11s

persistentvolumeclaim/openldap-data                                              Bound    pvc-252ac771-01da-11e9-b0c8-000c2927a0d0   1Gi        RWX            gluster-heketi                 4m20s

3.1 访问web

  • 访问phpldapadmin:ldap.k8s.net

1306461-20181217170715571-1509304917.png

  • 登录
  • 默认DN:cn=admin,dc=example,dc=org,默认Password:admin(线上系统需自定义修改)

1306461-20181218092409949-1560719290.png

1306461-20181218092506123-602106939.png

4, 添加用户和组

4.1 创建Groups和People OU

  • People OU

1306461-20190128134152609-22993057.png

  • Groups

1306461-20181221112915442-620641964.png

4.2 创建组和用户

4.2.1 组 dev devops test

1306461-20190128134256646-781093785.png

1306461-20181221113102427-2121130888.png

  • 组结果

1306461-20181221113245308-2132636969.png

4.2.2 用户

1306461-20181221113449142-1201712806.png

  • 填写基本信息,选择组和Login Shell
  • 注意修改Common Name

1306461-20181221113904907-480411119.png

1306461-20181221113929093-2121698363.png

  • 结果

1306461-20181221113951541-2110954495.png

4.3 为每个用户添加Email,没有Email无法登陆gitlab

1306461-20181221114047973-1700401100.png

5,配置k8s使用ldap登录

未完待续

  • 参考:
    • https://www.cnblogs.com/dukuan/p/9983899.html
    • https://github.com/osixia/
    • https://icicimov.github.io/blog/virtualization/Kubernetes-LDAP-Authentication/
    • https://github.com/nginxinc/nginx-ldap-auth.git

转载于:https://www.cnblogs.com/xiaoqshuo/p/10132588.html

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐