Home / Linux / System utilities

Multi-cluster k8s dashboard ldap unified login and authorization tool

Why write such a tool? This is because we have more than one kubernetes cluster (8+), The apiserver configuration cannot be modified because it is hosted in the cloud , it will bring us a pain points, development, sre need to login to k8s dashbaord and requires a different between different departments and role authorization

logo.png

Origin

Why write such a tool? This is because we have more than one kubernetes cluster (8+), The apiserver configuration cannot be modified because it is hosted in the cloud , it will bring us a pain points, development, sre need to login to k8s dashbaord and requires a different between different departments and role authorization, the original is through sa token log in dashboard, but as the growth of the k8s cluster, each adding a cluster, you need to inform use corresponding dashboard access addresses and corresponding token, This is painful for both the provider and the user. Is there a tool that provides a unified address and access to multiple cluster Dashboards? After some searching, it is found that there is no. Most of the solutions in the market are single cluster integration LDAP solutions, mainly DEX solutions, but the unified login authorization scheme of single cluster alone makes people feel very difficult. Aren't there simple and convenient tools for us to use? Well, I'm going to build a tool like this.

Dashboard LDAP integration solutions:

The above two documents are LDAP scheme, I feel good, for the need of people reference!

How to design

Objective: ** Simple use **!! By accessing the same address, the dashboard of different clusters can be switched using LDAP login and different cluster permissions can be configured separately!

With the above goals, how to achieve them?

The implementation method is actually very simple. First write a login interface to communicate with the company's AD to obtain users and groups, and then associate the users or groups with the service account in the k8s cluster to realize the corresponding rbac and login token. After logging in, you can complete a reverse proxy service.

Is it very simple! ! !

Implementation Technology Stack:golang(gin、client-go、viper、ldap) + Kubernetes Dashboard / Kuboard

How to deploy

Prerequisites

Before using this tool, you need to have the following conditions:

  1. Dashboard has been deployed in each k8s cluster and can be accessed by this tool
  2. Already have ldap and have administrative rights to access operations
  3. Corresponding service accounts can be mapped in each cluster. If you need to have different operation permissions for different users and groups, you can authorize sa for rbac, which will be explained in detail below.
  4. This tool needs to operate the APIs of each cluster, so you need to obtain the apiserver address, ca.crt and token of each cluster for configuration. As for the ca.crt and token of each cluster, if you get it, Will be explained later

How to get ca.crt and token

This tool needs to operate the API of each cluster to obtain the corresponding sa and token, so it needs to have permission to operate each cluster. How to generate corresponding CA certificates and tokens in each cluster? The answer is to create an sa and give certain permissions.

Execute the following yaml file in each k8s cluster:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: mutiboard-ldap
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: mutiboard-ldap-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mutiboard-ldap-view
subjects:
- kind: ServiceAccount
  name: mutiboard-ldap
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mutiboard-ldap-view
rules:
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  - secrets
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch

The meaning of this yaml file: create an sa named mutiboard-ldap, and give get and list permissions to serviceaccounts and secrets.

Get the ca.crt of mutiboard-ldap:

(⎈|aws-local:default)❯ echo $(kubectl get secret $(kubectl get secret | grep mutiboard-ldap | awk '{print $1}') -o go-template='{{index .data "ca.crt"}}') | base64 -d

-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTE5MDEyNTEwMTgzNFoXDTI5MDEyMjEwMTgzNFowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmc
TW0stLLP+M6Pc9wpRgZufg6eQ7puBfbYgik20QlO4LFtocgNUDa0y+aSXjxheA2C
A+o9wW0IC3GHQHKgeFY8KXIJu6wM0TO+JNQy5XZAWfbsLeXU/sLhKuWET/KJzVWT
0uBE+GCADAAQIec1oQXMbQ551hU5gBFcr67NXHpa2qwEGA1mGtZ7ztmW4+IFUD74
G166z4AOgmR4YWxBs/+8NhfWudFD32xevBfSKuHRxRGG5dtffY8QnRbnrmy70HE5
yzLtBvAGfCwtHLTP2ngCAnn2Fb6IeMdIYGpI1544ZjRbzT1YIWsG1v3dlu6tvK1q
X5Pj+UTDmJuf2SW52A0CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKE2hV0DIG8fSf4/eOi5R2sPRfBW
qTwgZDDT9dxZNhbxEInALdruwRUbKRpwaUBOGVpIlaK3/rZkAfjUwoDJ+J4fmmCX
w3ySrYFjx6tqVFqCPjDkBHh4xpMwUlvsvryRuCEQUQgjqBvj6sWm9GERF2n3VYBF
S8bjsQQAZJoE4W+OKchlEoSFlKhxAoeZx9CD3Rxnhj2og6doVoGCUqAMh4WZWX+w
pENnui6M96SysH3SkrA02RXWTGeKzK4E6Av3IG+2a2hauHorbqVfaM6HeL3hkU/B
JCWpOgN3T4Fw7E359CBQxnSHPasmZ5VBoyIk/HUU6ZlMK6Xo6JlbS7ZvVl4=
-----END CERTIFICATE-----

Get the token of mutiboard-ldap:

(⎈|aws-local:default)❯ echo $(kubectl get secret $(kubectl get secret | grep mutiboard-ldap | awk '{print $1}') -o go-template='{{.data.token}}') | base64 -d

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im11dGlib2FyZC1sZGFwLXRva2VuLWJ3NWdmIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Im11dGlib2FyZC1sZGFwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMjVmZjI4MGQtYWJhMi0xMWVhLWFlOGEtMDIzOTBjMzcyNzhlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6bXV0aWJvYXJkLWxkYXAifQ.q14hqEu2p70_YczDviR6c8McDM5vfnKPzjO9usCsC-uQUxciBbuJU_PK9j3uawppUNlrs3rAPrZIGUS7Jv14rifEXpGxIIfGR6n8-le0b-9YvMZCgs9-jhf-1r01EAnZFh6gcXfxESFguFQI0vYOsX4P2LQvZ9XTMzsqXbW3KGYao5elAjCE4e8Rg4--9e_zU8NGTEycsvUMxP-9p0SaAzn9Iak3saZtAnzJq5hkSf1t7l2_CgEsYN-3b7uGpHupK_zdgAeOflj9ze4Cz2YScv5eixwVXJ-RcI4lgSFCgt5yzSbnIuHgxRZyN3NcYLrSBYKftezZysWm3jELgLPogQ

At this point, the ca.crt and token of each cluster have been obtained. The following will tell how to configure and use these ca.crt and token

SA RBAC example

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ops-admin
  namespace: default
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: ops-role
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ops-listnamespace
roleRef: #Referenced role
  kind: ClusterRole
  name: ops-role
  apiGroup: rbac.authorization.k8s.io
subjects: #principal part
- kind: ServiceAccount
  name: ops-admin
  namespace: default
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ops-ci-admin
  namespace: ops-ci
roleRef: #Referenced role
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects: #principal part
- kind: ServiceAccount
  name: ops-admin
  namespace: default
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ops-qa-admin
  namespace: ops-qa
roleRef: #Referenced role
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects: #principal part
- kind: ServiceAccount
  name: ops-admin
  namespace: default

The meaning of this YAML is: create an ops-admin sa, and give this sa two namespace (ops-ci, ops-qa) admin permissions.

For more information about rbac, please refer to:https://www.cnblogs.com/wlbl/p/10694364.html

LDAP description

Our ldap directory rules are as follows:

|--domain
|----|---company
|----|----|----subsidiary
|----|----|-----|----department
|----|----|-----|-----|-----user

The corresponding Distinguished Name is shown below:

CN=Peng Xu,OU=department,OU=subsidiary,OU=company,DC=corp,DC=xxx,DC=com

Here I will get the first OU as a group, if your needs are different from mine, you can give me an issue to adapt

For details, please refer to:https://blog.poychang.net/ldap-introduction

Configmap.yaml configuration instructions

ldap:
  addr: ldap://192.168.3.81:389
  adminUser: xxxxx
  adminPwd: xxxxxx
  baseDN: dc=corp,dc=patsnap,dc=com
  filter: (&(objectClass=person)(sAMAccountName=%s))
  attributes: user_dn
  orgUnitName: OU=
#mapping of global users/user groups to SA
rbac:
  DevOps team:
    sa: ops-admin
    ns: kube-system
  xupeng:
    sa: inno-admin
    ns: default
clusters:
  #Cluster alias, the key displayed in the login drop-down box, this alias needs to correspond to the key names of ca.crt and token in secret.sh
  local:
    #apiserver address, can be accessed by the current tool
    apiServer: apiserver-dev.jiunile.com
    port: 6443
    #kubernetes dashboard address, can be accessed by the current tool
    dashboard: dashboard-dev.jiunile.com
    #Cluster description, the name displayed in the login drop-down box
    desc: Dev Cluster
    #Segmentation for individual clusters
    #rbac:
    #  DevOps team:
    #    sa: admin
    #    ns: kube-system
    #  xupeng:
    #    sa: ops-admin
    #    ns: default
  cnrelease:
    apiServer: apiserver-cn-release.jiunile.com
    port: 443
    dashboard: https://dashboard-cn-release.jiunile.com
    desc: CN Release Cluster
  usrelease:
    apiServer: apiserver-us-release.jiunile.com
    port: 443
    dashboard: https://dashboard-us-release.jiunile.com
    desc: US Release Cluster
  euprod:
    apiServer: apiserver-eu-prod.jiunile.com
    port: 443
    dashboard: https://dashboard-eu-prod.jiunile.com
    desc: EU Prod Cluster
  dataprod:
    apiServer: apiserver-data-prod.jiunile.com
    port: 443
    dashboard: http://kuboard-data-prod.jiunile.com
    desc: DATA Prod Cluster
    type: kuboard

Deploy

  1. Modify and deploy deploy/configmap.yaml

  2. Write the ca.crt and token obtained by each cluster to the corresponding deploy/token

  3. Execute the secret.sh script under deploy sh deploy/secret.sh

    Note: The xx in xx_token/xxx_ca.crt in secret.sh corresponds to the cluster alias in configmap.yaml, which must correspond one-to-one

  4. deploy deploy/deployment.yaml

Visit

http://{nodeip}:31000

mutiboard-ldap

Video download address: https://github.com/icyxp/kubernetes-dashboard-ldap/raw/master/assets/video/intro.webm

Donation

if you are willing to.

Alipay Wxpay Wechat group
alipay weixin weixin group
0 Open More issues
Closed

没部署成功,无法登录,日志也输出不详细,最好能弄debug最好了。

部署文档写的有点凌乱,特别是LDAP那段,secret.sh脚本在格式化的时候有问题,之前获取的值写入token和ca.crt的换行有问题

opened Aug 27, 2020 by 786951355 14
Closed

不知道能否支持token登录kubeapps呢

kubeapps也是token登录,希望支持

opened Nov 19, 2020 by ZhangSIming-blyq 4
Closed

ldap报错 Error initializing SSL/TLS, data 0, v3839

选择AD Login登录,输入完用户密码后的完整报错为: LDAP Result Code 52 "Unavailable": 00000000: LdapErr: DSID-0C0912C4, comment: Error initializing SSL/TLS, data 0, v3839 请问该如何调整,谢谢。

opened Dec 4, 2020 by Ruixian98 4
Closed

Login with error “LDAP Result Code 2 "Protocol Error": unsupported extended operation”

But deployment has no error logs...please help me with ldap configuration, below is my configmap.yaml:

apiVersion: v1
data:
  config: |
    ldap:
      addr: ldap://10.20.13.72:389
      adminUser: cn=kubesphere-test,ou=project,dc=shannonai,dc=com
      adminPwd: n2fBhSzk5u
      baseDN: ou=group,dc=shannonai,dc=com
      filter: (&(objectclass=groupOfUniqueNames)(uniqueMember={userdn}))
      attributes: kubesphere-test
      orgUnitName: project
    rbac:
      DevOps team:
        sa: admin
        ns: kube-system
      wangweilei:
        sa: wwl-admin
        ns: default
      xupeng:
        sa: search-admin
        ns: default
      zhangsiming:
        sa: inf-test-admin
        ns: inf-test
    clusters:
      local:
        apiServer: https://nlb-k8s-test-apiserver-1f07f2e6c2c2b42c.elb.cn-northwest-1.amazonaws.com.cn
        port: 6443
        dashboard: https://nlb-k8s-test-apiserver-1f07f2e6c2c2b42c.elb.cn-northwest-1.amazonaws.com.cn:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#/login
        desc: Dev Cluster

I don't know how to fix it, it seems like LDAP authentication error

opened Nov 16, 2020 by ZhangSIming-blyq 2
Closed

报错runtime error: invalid memory address or nil pointer dereference 

2020/11/18 15:13:55 >>>>>>>>>>>>>>>>>>init cluster[local] k8s client>>>>>>>>>>>>>>>>>>


2020/11/18 15:13:55 [Recovery] 2020/11/18 - 15:13:55 panic recovered:
runtime error: invalid memory address or nil pointer dereference
/usr/local/go/src/runtime/panic.go:212 (0x44b659)
/usr/local/go/src/runtime/signal_unix.go:695 (0x44b4a8)
/go/pkg/mod/k8s.io/[email protected]+incompatible/kubernetes/clientset.go:237 (0x11b6c9d)
/go/src/dashboard-ldap/controller/login.go:232 (0x11b6c94)
/go/src/dashboard-ldap/controller/login.go:99 (0x11b54a3)
/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 (0x9b3d6a)
/go/pkg/mod/github.com/gin-gonic/[email protected]/recovery.go:83 (0x9c746f)
/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 (0x9b3d6a)
/go/pkg/mod/github.com/gin-gonic/[email protected]/logger.go:241 (0x9c65a0)
/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 (0x9b3d6a)
/go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:409 (0x9bdb45)
/go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:367 (0x9bd25c)
/usr/local/go/src/net/http/server.go:2807 (0x713ad2)
/usr/local/go/src/net/http/server.go:1895 (0x70f44b)
/usr/local/go/src/runtime/asm_amd64.s:1373 (0x467400)
opened Nov 18, 2020 by ZhangSIming-blyq 2

2.2.0(Jan 12, 2021)

2.2.0

可选择性使用代理访问,相关配置查看 configmap.yaml 中的 Proxy 字段

Optional use proxy visit,you can refer to configmap.yaml proxy field

2.1.0(Dec 16, 2020)

增加审计日志

Add Audit Log

Audit Log example:

INFO[0039] 127.0.0.1 - imroc.local [16/Dec/2020:13:55:24 +0800] "GET /api/v1/pod/default" 200 1030 "http://127.0.0.1:8000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36" "" (1ms)  clientIP=127.0.0.1 dataLength=1030 hostname=imroc.local latency=1 method=GET path=/api/v1/pod/default referer="http://127.0.0.1:8000/" statusCode=200 traceID= user=admin userAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"

2.0.0(Nov 21, 2020) 

1. 支持 LDAP 和 token 登录
2. 根据不同的集群登录显示不同的 Logo(左上角)
3. 配置中增加默认选中集群功能
4. 优化代码,增加 pprof & statsviz(:8888)
---
1. Support LDAP and token login
2. Display different logo according to the selection of the cluster
3. `configmap.yaml` add `default:true`
4. Optimized code and fix some bug, add pprof & statsviz(:8888)
Information
Category: Linux / System utilities
Watchers: 1
Star: 18
Fork: 5
Last update: Jun 17, 2020

Contents
    Resource links
    https://github.com/icyxp/kubernetes-dashboard-ldap
    Share this repo
    Most popular
    pi-hole A black hole for Internet advertisements
    alexanderepstein A collection of small bash scripts for heavy terminal users
    upptime ⬆️ Uptime monitor and status page powered by GitHub
    github GitHub public roadmap
    arslanbilal Git and Git Flow Cheat Sheet
    SpiderLabs ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx
    logseq A local-first knowledge base which syncs using Github
    k0sproject k0s - Zero Friction Kubernetes
    chaos-mesh A Chaos Engineering Platform for Kubernetes.
    netblue30 Firejail is a Linux namespaces and seccomp-bpf sandbox

    Related Repos


    System utilities
    34
    📌 See the filenames of your vim splits in easy-to-read popups
    bignimbus 📌 See the filenames of your vim splits in easy-to-read popups
     
    System utilities
    28
    Send an entire movie script line by line using this simple and short shell script.
    jacob33c Send an entire movie script line by line using this simple and short shell script.
     
    System utilities
    29
    The files that make me a programming whiz 🧙‍♂️
    harsilspatel The files that make me a programming whiz 🧙‍♂️
     
    System utilities
    231
    Github action that checks the toxicity level of comments and PR reviews to help make repos...
    charliegerard Github action that uses machine learning to detect potential toxic comments added to PRs and issues so authors can have a chance to edit them and keep repos a safe space.
     
    System utilities
    34
    A decompilation of Super Mario Galaxy brought to you by a bunch of clever folks.
    doldecomp A decompilation of Super Mario Galaxy brought to you by a bunch of clever folks.
     
    System utilities
    21
    A semantic search tool for Erlang that supports large code-bases.
    klarna-incubator Glass is a tool for semantically searching source code, currently focusing on Erlang. You can think of it as "grep, if grep could understand Erlang code".
     
    System utilities
    25
    The BitBucket Erlang Client
    klarna-incubator The behaviour of a BitBucket repository can be customized in a multitude of ways. Configuring default reviewers, branch restrictions, hooks and merge strategies can be a tedious, repetitive and error prone procedure if it is performed via the GUI, especially with a large number of repositories.
     
    System utilities
    11
    A dark Vim/Neovim color scheme with rich colors on a deep black background.
    josegamez82 A dark Vim/Neovim color scheme with rich colors on a deep black background.