This change replaces the usage of Service Tokens by OIDC tokens in the instructions of Kubernetes cluster local and remote access. Some other changes were made, like the deletion of redundant pages. Story: 2010738 Task: 49561 Change-Id: Ie8206ecd316efd356a5889899a68f9a9ddbcdfa6 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
9.0 KiB
Configure Kubernetes Client Access
You can configure Kubernetes access for local and remote clients to authenticate through Windows Active Directory or server using oidc-auth-apps Identity Provider (dex).
Configure Kubernetes Local Client Access
Use the procedure below to configure Kubernetes access for a user logged in to the active controller either through SSH or by using the system console.
Execute the commands below to create the Kubernetes configuration file for the logged in user. These commands only need to be executed once. The file "~/.kube/config" will be created. The user referred in its contents is the current logged in user.
~$ kubeconfig-setup ~$ source ~/.profile
Run oidc-auth script in order to authenticate and update user credentials in the Kubernetes configuration file.
~$ oidc-auth
Note
The oidc-auth script has the following optional parameters that may need to be specified:
-c <OIDC_app_IP>
: This is the IP where the OIDC app is running. When not provided, it defaults to "oamcontroller", that is an alias to the controller floating IP. There are two instances where this parameter is used: for local client access inside subclouds of a centralized setup, where the oidc-auth-apps runs only on the System Controller, and for remote client access.-p <password>
: This is the user password. If the user does not enter the password, the user is prompted to do so. This parameter is essential in non-interactive shells.-u <username>
: This is the user to be authenticated. When not provided, it defaults to the current logged in user. Usually, this parameter is needed in remote client access scenarios, where the current logged in user is different from the user to be authenticated.-b <backend_ID>
: This parameter is used to specify the backend used for authentication. It is only needed if there is more than one backend configured at oidc-auth-apps Identity Provider (Dex).
Configure Kubernetes Remote Client Access
The access to the Kubernetes cluster from outside the controller can be done using the remote CLI container or using the host directly. Both options are described below.
Kubernetes Remote Client Access using the Container-backed Remote CLI
The steps needed to set up the remote Kubernetes access using the
container-backed remote are described in Configure Container-backed
Remote CLIs and Clients
<security-configure-container-backed-remote-clis-and-clients>
and Use Container-backed Remote CLIs and Clients
<using-container-backed-remote-clis-and-clients>
.
Kubernetes Remote Client Access using the Host Directly
Install the
kubectl
client CLI on the host. Follow the instructions on Install and Set Up kubectl on Linux. The example below can be used for Ubuntu.% sudo apt-get update % sudo apt-get install -y apt-transport-https % curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add % echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee -a /etc/apt/sources.list.d/kubernetes.list % sudo apt-get update % sudo apt-get install -y kubectl
Optional: Contact your system administrator for the Kubernetes cluster's public root certificate. Copy this certificate to your system as
k8s-ca.crt
. This step is strongly recommended, but it still possible to connect to the Kubernetes cluster without this certificate.Create an empty Kubernetes configuration file (the default path is
~/.kube/config
). Execute the commands below to update this file. Use the IP address and the Kubernetes certificate acquired in the previous step. If the IP is IPv6, use the IP enclosed in brackets (example: "[fd00::a14:803]"). In the example below, the user is "admin-user", change it to the name of user you want to authenticate.$ MYUSER="admin-user" $ kubectl config set-cluster wrcpcluster --server=https://<OAM_IP>:6443 $ kubectl config set clusters.wrcpcluster.certificate-authority-data $(base64 -w0 k8s-ca.crt) $ kubectl config set-context ${MYUSER}@wrcpcluster --cluster=wrcpcluster --user ${MYUSER} $ kubectl config use-context ${MYUSER}@wrcpcluster
If you don't have the Kubernetes certificate, execute the following commands instead.
$ MYUSER="admin-user" $ kubectl config set-cluster wrcpcluster --server=https://<OAM_IP>:6443 --insecure-skip-tls-verify $ kubectl config set-context ${MYUSER}@wrcpcluster --cluster=wrcpcluster --user ${MYUSER} $ kubectl config use-context ${MYUSER}@wrcpcluster
Get a Kubernetes authentication token. There are two options, the first is through oidc-auth script and the second is through the browser. Both options are described below.
To get the token through oidc-auth script, execute the steps below.
Install "Python Mechanize" module using the following command:
$ sudo pip install mechanize
Install the oidc-auth from .
Execute the command below to get the token and update it in the Kubernetes configuration file. If the target environment has multiple backends configured, you will need to use the parameter
-b <backend_ID>
. If the target environment is a system with a centralized setup, you should use the IP of the System Controller.$ oidc-auth -u ${MYUSER} -c <OAM_IP>
To get the token through a browser, execute the steps below.
Use the following URL to login into oidc-auth-apps client:
https://<oam-floating-ip-address>:30555
. If the target environment is a system with a centralized setup, you should use the IP of the System Controller.If the oidc-auth-apps has been configured for multiple 'ldap' connectors, select the Windows Active Directory or the server for authentication.
Enter your Username and Password.
Click Login. The ID token and Refresh token are displayed as follows:
ID Token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ4ZjZkYjcxNGI4ODQ5ZjZlNmExM2Y2ZTQzODVhMWE1MjM0YzE1NTQifQ.eyJpc3MiOiJodHRwczovLzEyOC4yMjQuMTUxLjE3MDozMDU1Ni9kZXgiLCJzdWIiOiJDZ2R3ZG5SbGMzUXhFZ1JzWkdGdyIsImF1ZCI6InN0eC1vaWRjLWNsaWVudC1hcHAiLCJleHAiOjE1ODI1NzczMTksImlhdCI6MTU4MjU3NzMwOSwiYXRfaGFzaCI6ImhzRG1kdTFIWGFCcXFNLXBpYWoyaXciLCJlbWFpbCI6InB2dGVzdDEiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InB2dGVzdDEifQ.TEZ-YMd8kavTGCw_FUR4iGQWf16DWsmqxW89ZlKHxaqPzAJUjGnW5NRdRytiDtf1d9iNIxOT6cGSOJI694qiMVcb-nD856OgCvU58o-e3ZkLaLGDbTP2mmoaqqBYW2FDIJNcV0jt-yq5rc9cNQopGtFXbGr6ZV2idysHooa7rA1543EUpg2FNE4qZ297_WXU7x0Qk2yDNRq-ngNQRWkwsERM3INBktwQpRUg2na3eK_jHpC6AMiUxyyMu3o3FurTfvOp3F0eyjSVgLqhC2Rh4xMbK4LgbBTN35pvnMRwOpL7gJPgaZDd0ttC9L5dBnRs9uT-s2g4j2hjV9rh3KciHQ Access Token: wcgw4mhddrk7jd24whofclgmj Claims: { "iss": "https://128.224.151.170:30556/dex", "sub": "CgdwdnRlc3QxEgRsZGFw", "aud": "stx-oidc-client-app", "exp": 1582577319, "iat": 1582577319, "at_hash": "hsDmdu1HXaBqqM-piaj2iw", "email": "testuser", "email_verified": true, "groups": [ "billingDeptGroup", "managerGroup" ], "name": "testuser" } Refresh Token: ChljdmoybDZ0Y3BiYnR0cmp6N2xlejNmd3F5Ehlid290enR5enR1NWw1dWM2Y2V4dnVlcHli
Use the token ID to set the Kubernetes credentials in kubectl configs:
$ TOKEN=<ID_token_string> $ kubectl config set-credentials ${MYUSER} --token ${TOKEN}