文章大纲
OpenShift 默认安装完成后,只有一个 kubeadmin 用户,OpenShift 本身支持配置使用多个身份提供程序,有:
- Keystone
- LDAP
- HTPasswd
- …
最简单的是使用 HTPasswd 这种方式,但是不推荐用于生产环境中。
准备 HTPasswd 文件
将所需的用户和密码写入到 HTPasswd 文件中:
htpasswd -c -B -b htpasswd admin Admin@123
htpasswd -B -b htpasswd developer Developer@123-c 是创建新文件,第一次需使用。
创建 Secret
HTPasswd 身份提供程序,需要将 htpasswd 文件中的数据放置到 Secret 中,并且是 openshift-config project 里面:
[root@support ~]# oc create secret generic htpasswd-secret --from-file htpasswd=/root/htpasswd -n openshift-config
secret/htpasswd-secret created验证:
[root@support ~]# oc get secret htpasswd-secret -n openshift-config -o yaml
apiVersion: v1
data:
htpasswd: YWRtaW46JDJ5JDA1JFlOTmxUMnZucTNRclBob0pwVS5oSU9jdGpWNFAxT20vcTdQV2ZqcG1XWEZGcGRJQm0xUUgyCmRldmVsb3BlcjokMnkkMDUkNkF4T3MyVkFzQ0dwelNGb1cuT0tZdVdYblFvSjh2dGNiajJ6YUtOdy82M3ZnaU1RWVBYL0sK
kind: Secret
metadata:
creationTimestamp: "2023-12-21T12:57:17Z"
name: htpasswd-secret
namespace: openshift-config
resourceVersion: "81046"
uid: 60e6d9ea-8e64-44eb-8566-a1c4dbe9c1bd
type: Opaque
[root@support ~]# echo 'YWRtaW46JDJ5JDA1JFlOTmxUMnZucTNRclBob0pwVS5oSU9jdGpWNFAxT20vcTdQV2ZqcG1XWEZGcGRJQm0xUUgyCmRldmVsb3BlcjokMnkkMDUkNkF4T3MyVkFzQ0dwelNGb1cuT0tZdVdYblFvSjh2dGNiajJ6YUtOdy82M3ZnaU1RWVBYL0sK' | base64 -d
admin:$2y$05$YNNlT2vnq3QrPhoJpU.hIOctjV4P1Om/q7PWfjpmWXFFpdIBm1QH2
developer:$2y$05$6AxOs2VAsCGpzSFoW.OKYuWXnQoJ8vtcbj2zaKNw/63vgiMQYPX/K配置 Oauth 使用 HTPasswd 作为身份提供程序
导出现有的配置并进行备份:
[root@support ~]# oc get oauth cluster -o yaml > oauth.yaml
[root@support ~]# cp oauth.yaml oauth.yaml.bak编辑配置,定义要使用的 HTPasswd 提供程序,并指定相应的 Secret:
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
release.openshift.io/create-only: "true"
creationTimestamp: "2023-12-20T12:21:35Z"
generation: 1
name: cluster
ownerReferences:
- apiVersion: config.openshift.io/v1
kind: ClusterVersion
name: version
uid: 3b6467a0-50ba-413b-9b82-de965c688b05
resourceVersion: "1534"
uid: 806e13d0-f707-4ff6-9ebf-2bda36613ac6
spec:
identityProviders:
- name: htpasswd_provider
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpasswd-secret使用编辑好的文件来应用配置的更新:
[root@support ~]# oc replace -f oauth.yaml
oauth.config.openshift.io/cluster replaced等待 oauth-openshift 的重启:
[root@support ~]# oc get pods -n openshift-authentication
NAME READY STATUS RESTARTS AGE
oauth-openshift-775b954cc-92q8f 1/1 Terminating 2 (39m ago) 24h
oauth-openshift-7997b7c68b-bcwtk 1/1 Running 0 64s
oauth-openshift-7997b7c68b-cts27 0/1 Pending 0 7s
oauth-openshift-7997b7c68b-vx5hb 1/1 Running 0 36s分配特权
在 htpasswd 文件中定义了一个 admin 用户,使用以下命令将其设置为集群管理员:
[root@support ~]# oc adm policy add-cluster-role-to-user cluster-admin admin
Warning: User 'admin' not found
clusterrole.rbac.authorization.k8s.io/cluster-admin added: "admin"会提示没有该用户,忽略。
验证
使用命令行登录验证:
[root@support ~]# oc login -u admin -p Admin@123
Login successful.
You have access to 68 projects, the list has been suppressed. You can list all projects with 'oc projects'
Using project "default".
[root@support ~]# oc login -u developer -p Developer@123
Login successful.
You don't have any projects. You can try to create a new project, by running
oc new-project <projectname>登录 console 时需选择 htpasswd_provider :
登录 admin 用户,确认具有集群管理员特权:
developer 没有特权:
更改或删除用户
如果原先 htpasswd 文件存在的话,可以直接对该文件做修改,修改后需要更新 secret :
oc set data secret/htpasswd-secret --from-file htpasswd=/root/htpasswd -n openshift-config如果原先 htpasswd 文件不存在,需先从 secret 中导出,再进行修改:
oc extract secret/htpasswd-secret -n openshift-config --to /root/ --confirm更改后,需更新 Secret,等待 OAuth Operator 重新部署 Pod 后,对用户的更改或删除就生效了。
最后位于 kube-system 中的 kubeadmin Secret 在测试环境中不建议删除,因为长时间关机会导致证书过期,此时无法通过 HTPasswd 中的用户进行登录,所以还需借助 kubeadmin 用户来批准 CSR 从而恢复集群。