Log in to KubeSphere with your GitLab account

Author: Li Shuai

introduce

KubeSphere multi-tenancy is a very required function in actual production use, which meets the needs of different users to log in to the KubeSphere platform. For example, development, operation and maintenance, and testing all need to log in to the KubeSphere platform, and different permissions need to be configured for users with different identities. When there are many users in the company who need to access KubeSphere, it is not very flexible for administrators to manually create accounts for users. KubeSphere includes a built-in OAuth service and account system. Users can authenticate the API by obtaining an OAuth access token. We can provide authentication information by accessing LDAP or OIDC.

Multi-tenancy scenario

Authentication link

use

It is assumed that KubeSphere has been minimally installed in the cluster. Here we use the OIDC identity provider for authentication, access to GitLab through Dex, and use the users in GitLab to complete the authentication.

Install Dex

Dex is an authentication service that uses OpenID Connect to drive authentication for other applications. Dex acts as a gateway to other identity providers through "connectors". Dex can push authentication to LDAP servers, SAML providers, or established identity providers such as GitHub, Gitlab, Google, Active Directory, and more. The client writes authentication logic to interact with Dex for authentication, and then Dex forwards it to the back-end user authenticator through the connector for authentication, and returns the Oauth2 Token to the client. Similar authentication services are Keycloak, auth0, etc.

First, you need to create an application on gitlab, and check these read_user profile email openid in the scope. After creation, you need to remember the application id and password on the page, which will be used later.

#添加dex的helm仓库
root@i-tsfhx8p6:~/qke-k8s/dex# helm repo add dex https://charts.dexidp.io
"dex" has been added to your repositories
#下载dex的chart 文件到本地
root@i-tsfhx8p6:~/qke-k8s/dex# helm pull dex/dex
root@i-tsfhx8p6:~/qke-k8s/dex# ls
dex-0.5.0.tgz
root@i-tsfhx8p6:~/qke-k8s/dex# tar xf dex-0.5.0.tgz 
root@i-tsfhx8p6:~/qke-k8s/dex# ls
dex  dex-0.5.0.tgz
root@i-tsfhx8p6:~/qke-k8s/dex# ls dex
Chart.yaml  LICENSE  README.md  ci  templates  values.yaml

Modify values.yaml file

replicaCount: 1

image:
  repository: dexidp/dex
  pullPolicy: IfNotPresent
  tag: "v2.29.0"

imagePullSecrets: []

nameOverride: ""

fullnameOverride: ""

hostAliases: []

https:
  # -- Enable the HTTPS endpoint.
  enabled: false

grpc:
  # -- Enable the gRPC endpoint.
  # Read more in the [documentation](https://dexidp.io/docs/api/).
  enabled: false

configSecret:
  # -- Enable creating a secret from the values passed to `config`.
  # If set to false, name must point to an existing secret.
  create: true

  # -- The name of the secret to mount as configuration in the pod.
  # If not set and create is true, a name is generated using the fullname template.
  # Must point to secret that contains at least a `config.yaml` key.
  name: ""

config: 
  issuer: https://dex-qke.lishuai.fun  #修改为你实际的地址
  storage: 
    type: kubernetes
    config:
      inCluster: true
  web:
    http: 0.0.0.0:5556
  telemetry:
    http: 0.0.0.0:5558
  expiry:
    signingKeys: "6h"
    idTokens: "24h"
  logger:
    level: debug
    format: json
  oauth2:
    responseTypes: ["code", "token", "id_token"]
    skipApprovalScreen: true
  connectors:
  - type: gitlab
    id: gitlab
    name: GitLab
    config:
      baseURL: https://gitlab.lishuai.fun  #修改为你实际的gitlab 地址 
      clientID: ca14d16e376b6f6634*********57378d1267e946e9d3e758e2f0     #修改为你gitlab 应用的clientid
      clientSecret: 15dcb3501becd17******1b82b05874e2ef893b7a0888fdaaa37885fd9387  #修改为你gitlab 应用的clientsecert
      redirectURI: https://dex-qke.lishuai.fun/callback  #修改为你实际的地址，格式为(dex issuer)/callback
      groups:
      - k8s-auth
      - k8s-auth/dashboard
      - k8s-auth/dashboard/show  ##gitlab项目组，只允许dashboard项目组成员访问
  staticClients:
  - id: dex-k8s-authenticator
    name: dex-k8s-authenticator
    secret: generatedLongRandomPhrase
    redirectURIs:
    - 'http://kubesphere.lishuai.fun/oauth/redirect/dex' #这个是kubesphere的回调地址，对于dex认证，格式为kubesphere_url/oauth/redirect/dex

volumes: []

volumeMounts: []

envFrom: []

env: {}

serviceAccount:
  # -- Enable service account creation.
  create: true

  # -- Annotations to be added to the service account.
  annotations: {}

  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template.
  name: "dex-sa"

rbac:
  create: true

podAnnotations: {}

podDisruptionBudget:
  enabled: false
  minAvailable:
  maxUnavailable:
priorityClassName: ""
podSecurityContext: {}
  # fsGroup: 2000

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  annotations: {}
  type: ClusterIP

  ports:
    http:
      port: 5556
      nodePort:
    https:
      port: 5554
      nodePort:
    grpc:
      port: 5557
      nodePort:

ingress:
  enabled: true
  className: ""

  annotations: 
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: tls  #集群内已经安装了cert-manager，通过cert-manager来进行证书签发

  hosts:
    - host: dex-qke.lishuai.fun
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: 
  - secretName: dex-tls
    hosts:
      - dex-qke.lishuai.fun

resources: {}
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

nodeSelector: {}

tolerations: []

affinity: {}

There are a few things to note here:

• The groups under the Gitlab configuration are project groups, which need to be filled in according to the actual situation. Only members of the project group filled in here will be allowed to authenticate through Dex.
• If cert-manager is not installed in the cluster, you need to manually create the secert of the certificate

Execute the following command to install.

root@i-tsfhx8p6:~/qke-k8s/dex# ls
dex  dex-0.5.0.tgz
#在当前目录执行
kubectl create ns dex 
kubectl -n dex install dex dex

root@i-tsfhx8p6:~/qke-k8s/dex# kubectl -n dex get pod 
NAME                                  READY   STATUS    RESTARTS   AGE
dex-d8c5cdfc-577gf                    1/1     Running   0          21h

Configure KubeSphere

After installing Dex, you need to modify cluster-configuration.yaml .

apiVersion: installer.kubesphere.io/v1alpha1
kind: ClusterConfiguration
metadata:
  name: ks-installer
  namespace: kubesphere-system
  labels:
    version: v3.1.1
spec:
  persistence:
    storageClass: "longhorn"        # If there is no default StorageClass in your cluster, you need to specify an existing StorageClass here.
  authentication:
    jwtSecret: ""
    authenticateRateLimiterMaxTries: 10
    authenticateRateLimiterDuration: 10m0s
    oauthOptions:
      accessTokenMaxAge: 1h
      accessTokenInactivityTimeout: 30m
      identityProviders:
      - name: dex
        type: OIDCIdentityProvider
        mappingMethod: auto
        provider:
          clientID: 'dex-k8s-authenticator'
          clientSecret: 'gener*******ongRandomPhrase'
          issuer: https://dex-qke.lishuai.fun
          redirectURL: http://kubesphere.lishuai.fun/oauth/redirect/dex
          scopes:
          - openid
          - email
......

Parameter explanation:

• authenticateRateLimiterMaxTries : The maximum number of consecutive login failures allowed during the period specified by authenticateLimiterDuration If the number of consecutive login failures for a user reaches the limit, the user will be banned.
• authenticateRateLimiterDuration : authenticateRateLimiterMaxTries on 061f25f18b294b.
• loginHistoryRetentionPeriod : User login record retention period, expired entries will be automatically deleted.
• maximumClockSkew : Controls the maximum clock offset allowed when performing time-sensitive operations (such as validating the expiration time of a user token), the default is 10 seconds.
• multipleLogin : Allow multiple users to log in from different locations at the same time, the default is true .
• jwtSecret : The key to issue the user token, with a minimum length of 32 characters. multi-cluster environments .

oauthOptions : OAuth settings

• accessTokenMaxAge : Access token validity period. For member clusters in a multi-cluster environment, the default is 0h , which means that the access token never expires. For other clusters, the default is 2h .
• accessTokenInactivityTimeout : Token idle timeout. This value represents the maximum interval for refreshing the user token after the token expires. If the user identity token is not refreshed within this time window, the user will need to log in again to gain access.

• identityProviders: Identity provider settings

  • name : The name of the identity provider.
  • type : Type of identity provider.
  • mappingMethod : Account mapping method. The value can be auto or lookup .
  • The default is auto , an associated account is automatically created when logging in through a third-party account.
  • If the value is lookup , you need to manually associate the third-party account with the KubeSphere account.
  • provider : Identity provider configuration, the fields in this section vary depending on the type of identity provider

provider:

• ​ clientID: OAuth2 client ID
• ​ clientSecret: OAuth2 client secert
• ​ issuer: the address of dex
• ​ redirectURL: redirect to the URL of ks-console, note that this address should also be configured in dex

After modification, execute kubectl apply -f cluster-configuration.yaml .

The authentication configuration can also be modified with the following command:

kubectl -n kubesphere-system edit cc ks-installer

configuration example :

apiVersion: installer.kubesphere.io/v1alpha1
kind: ClusterConfiguration
metadata:
  name: ks-installer
spec:
  authentication:
    jwtSecret: ********************************
    authenticateRateLimiterMaxTries: 10
    authenticateRateLimiterDuration: 10m
    oauthOptions:
      accessTokenInactivityTimeout: 30m
      accessTokenMaxAge: 1h
      identityProviders:
      - mappingMethod: auto
        name: github
        type: GitHubIdentityProvider
        provider:
...

After modifying the above configuration, you need to wait for the configuration to take effect. You can run the following commands to view the related progress and logs:

 kubectl -n kubesphere-system logs -l app=ks-installer -f

After re-applying, open the login page and you will find that there are more 161f25f18b2d95 buttons through dex on the login page.

After clicking, it will automatically jump to Gitlab for authentication. For the first login, you need to authorize the application to access. Here, it should be noted that the Gitlab users who are allowed to access KubeSphere are users in the Gitlab project group defined in the Dex service. In fact, we can set specific For a specific project group, add users to the project group to implement user login restrictions.

After clicking authorize allow, KubeSphere will let us confirm the account information. At this time, we need to modify the user name reasonably.

After the setting is completed, you can enter KubeSphere. At this time, the user does not have any access rights, and the administrator needs to authorize the user to use it normally. I hope that KubeSphere can support the user group before the user logs in. Authorize, or collect money from users through email in advance, to avoid the need for administrators to manually create permissions after users log in.

This article is published by the blog OpenWrite !