{"id":35864,"date":"2022-11-29T00:53:58","date_gmt":"2023-05-13T13:26:55","guid":{"rendered":"https:\/\/www.silicloud.com\/zh\/blog\/%e5%b0%9d%e8%af%95%e4%bd%bf%e7%94%a8keycloak%e6%9d%a5%e8%bf%9b%e8%a1%8ckubernetes%e7%9a%84oidc%e8%ae%a4%e8%af%81\/"},"modified":"2024-04-29T02:54:46","modified_gmt":"2024-04-28T18:54:46","slug":"%e5%b0%9d%e8%af%95%e4%bd%bf%e7%94%a8keycloak%e6%9d%a5%e8%bf%9b%e8%a1%8ckubernetes%e7%9a%84oidc%e8%ae%a4%e8%af%81","status":"publish","type":"post","link":"https:\/\/www.silicloud.com\/zh\/blog\/%e5%b0%9d%e8%af%95%e4%bd%bf%e7%94%a8keycloak%e6%9d%a5%e8%bf%9b%e8%a1%8ckubernetes%e7%9a%84oidc%e8%ae%a4%e8%af%81\/","title":{"rendered":"\u5c1d\u8bd5\u4f7f\u7528Keycloak\u6765\u8fdb\u884cKubernetes\u7684OIDC\u8ba4\u8bc1"},"content":{"rendered":"

\u9996\u5148<\/h2>\n

\u901a\u5e38\u60c5\u51b5\u4e0b\uff0cKubernetes\u5e76\u6ca1\u6709\u7528\u6237\u7ba1\u7406\u673a\u5236\uff0c\u9700\u8981\u501f\u52a9\u5916\u90e8\u673a\u5236\u6765\u8fdb\u884c\u7528\u6237\u8ba4\u8bc1\u3002\u5982\u679c\u4f7f\u7528kubeadm\u6216minikube\u7b49\u5de5\u5177\u6784\u5efa\u539f\u751f\u7684Kubernetes\u96c6\u7fa4\uff0c\u901a\u5e38\u4f1a\u4f7f\u7528x509\u8bc1\u4e66\u8fdb\u884c\u7528\u6237\u8ba4\u8bc1\uff08admin\u8bc1\u4e66\u53ef\u7528\u4e8e\u8ba4\u8bc1\uff09\u3002<\/p>\n

\u5728\u8fd9\u91cc\uff0c\u6211\u4eec\u5c06\u4f7f\u7528Keycloak\u4f5c\u4e3aOIDC\uff08OpenID Connect\uff09ID\u63d0\u4f9b\u8005\u4e4b\u4e00\u6765\u7ba1\u7406\u7528\u6237\u4fe1\u606f\u5e76\u8fdb\u884cOIDC\u8ba4\u8bc1\uff0c\u7136\u540e\u4f7f\u7528\u8be5\u8ba4\u8bc1\u4fe1\u606f\uff08id_token\uff09\u6765\u8fdb\u884cKubernetes\uff08API\uff09\u7684\u8ba4\u8bc1\u3002<\/p>\n

Keycloak\u662f\u4e00\u4e2a\u7f51\u7ad9\uff0c\u5176\u7f51\u5740\u662fhttps:\/\/www.keycloak.org\/\u3002<\/p>\n

\u53e6\u5916\uff0cKubernetes\u4e2d\u7684OIDC\u8ba4\u8bc1\u987a\u5e8f\u53ef\u4ee5\u53c2\u8003\u5b98\u65b9\u6587\u6863\u4e2d\u5982\u4e0b\u8bf4\u660e\u3002<\/p>\n

\"pic0.png\"<\/div>\n

OpenID Connect\u4ee4\u724c<\/p>\n

https:\/\/kubernetes.io\/zh\/docs\/reference\/access-authn-authz\/authentication\/#openid-connect-tokens<\/p>\n

\u524d\u63d0\u610f\u5473\u7740\u4e00\u4e2a\u524d\u9762\u7684\u6761\u4ef6\u6216\u5047\u8bbe\u3002 (The premise implies a previously stated condition or assumption.)<\/h2>\n

minikube v1.25.2(Kubernetes v1.23.3)\u306e\u30b7\u30f3\u30b0\u30ebNode\u69cb\u6210\u3067\u691c\u8a3c\u3057\u305f<\/p>\n

Keycloak\u306f\u73fe\u6642\u70b9\u306e\u6700\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u3042\u308bv18.0.0\u3092\u7528\u3044\u308b\u3053\u3068\u3068\u3057\u3001Kubernetes(minikube)\u30af\u30e9\u30b9\u30bf\u30fc\u4e0a\u306b\u69cb\u7bc9\u3057\u305f\uff08\u4e00\u822c\u7684\u306aKubernetes\u30af\u30e9\u30b9\u30bf\u30fc\u4e0a\u306b\u69cb\u7bc9\u3059\u308b\u30b1\u30fc\u30b9\u3067\u3082\u305d\u3093\u306a\u306b\u5927\u5dee\u306f\u306a\u3044\u60f3\u5b9a\uff09
\n\u691c\u8a3c\u7528\u306a\u306e\u3067Keycloak\u306f\u4ee5\u4e0b\u306e\u6761\u4ef6\u3067\u8d77\u52d5\u3057\u305f<\/p>\n

dev mode\uff08\u672c\u6765\u3067\u3042\u308c\u3070prod mode\u3067\u8d77\u52d5\u3059\u3079\u304d\uff09<\/p>\n

Keycloak\u306e\u30c7\u30fc\u30bf\u30b9\u30c8\u30a2\u306fInternal DB\uff08H2\uff09\u3092\u6c38\u7d9a\u5316\u3057\u3066\u5229\u7528\uff08\u672c\u6765\u3067\u3042\u308c\u3070PostgreSQL\u306a\u3069\u5916\u90e8DB\u3092\u5229\u7528\u3059\u3079\u304d\uff09
\n\u8a3c\u660e\u66f8\u306f\u81ea\u5df1\u8a3c\u660e\u66f8\u3092\u5229\u7528\u3057\u305f\uff08\u672c\u6765\u3067\u3042\u308c\u3070\u4fe1\u983c\u3067\u304d\u308bCA\u3067\u7f72\u540d\u3055\u308c\u305f\u3082\u306e\u3092\u5229\u7528\u3059\u3079\u304d\uff09<\/p>\n

Keycloak\u306e\u540d\u524d\u89e3\u6c7a\u306b\u306fDNS\u3067\u306f\u306a\u304fhosts\u30d5\u30a1\u30a4\u30eb\u3092\u4f7f\u7528\u3057\u305f<\/p>\n

Keycloak\u306b\u306f\u305d\u308c\u305e\u308ckube-apiserver\u3068\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304c\u540c\u3058\u30db\u30b9\u30c8\u540d\u3067\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u5fc5\u8981\u304c\u3042\u308b\u305f\u3081\u66ab\u5b9a\u5bfe\u51e6
\n\u672c\u6765\u306fDNS\u306e\u540d\u524d\u89e3\u6c7a\u3067\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u306e\u304c\u671b\u307e\u3057\u3044<\/p>\n

Keycloak\u306e\u30a2\u30af\u30bb\u30b9\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\uff08HTTP\/HTTPS\uff09\u306fNodePort\u3068\u3057\u305f<\/p>\n

Keycloak\u306b\u306f\u305d\u308c\u305e\u308ckube-apiserver\u3068\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304c\u540c\u3058\u30dd\u30fc\u30c8\u3067\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u5fc5\u8981\u304c\u3042\u308b\u305f\u3081\u66ab\u5b9a\u5bfe\u51e6
\n\u672c\u6765\u306fingress\u3084LB\u306b\u8a3c\u660e\u66f8\u306e\u30a4\u30f3\u30dd\u30fc\u30c8\u3092\u884c\u3044TLS\u7d42\u7aef\u3059\u3079\u304d<\/p>\n

\u57fa\u672c\u7684\u306bKeycloak\u516c\u5f0f\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u306b\u6cbf\u3063\u3066\u3044\u308b\u304c\u3001\u5fc5\u8981\u306b\u5fdc\u3058\u3066\u8a2d\u5b9a\u3092\u5909\u66f4\u3057\u3066\u3044\u308b
\nGetting started\/Kubernetes
\nhttps:\/\/www.keycloak.org\/getting-started\/getting-started-kube<\/p>\n

3. \u521b\u5efaKeycloak\u7684\u8bc1\u4e66<\/h2>\n

\u9996\u5148\uff0c\u521b\u5efaKeycloak\u5c06\u7528\u4e8eTLS\u7684\u5bc6\u94a5\u5bf9\u3002
\n\u7136\u540e\uff0c\u5728Kubernetes\u96c6\u7fa4\u4e0a\uff0c\u901a\u8fc7hostPath\u5c06\u5bc6\u94a5\u5bf9\u6302\u8f7d\u5230\u90e8\u7f72Keycloak\u7684Pod\u4e0a\uff0c\u5728minikube\u865a\u62df\u673a\u4e0a\u6267\u884c\u521b\u5efa\u64cd\u4f5c\u3002<\/p>\n

\u8fde\u63a5\u5230minikube\u7684SSH\u3002<\/p>\n

minikube ssh\r\n<\/code><\/pre>\n
\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u4f5c\u6210<\/p>\n
sudo su -\r\nmkdir \/srv\/keycloak-ssl\r\ncd \/srv\/keycloak-ssl \r\n<\/code><\/pre>\n
\u521b\u5efa\u8bc1\u4e66\u8bbe\u7f6e\u6587\u4ef6<\/p>\n
sslcert.conf\uff1assl\u8bc1\u4e66\u914d\u7f6e\u6587\u4ef6<\/p>\n
[req]\r\ndistinguished_name = req_distinguished_name\r\nx509_extensions = v3_req\r\nprompt = no\r\n[req_distinguished_name]\r\nCN = keycloak \r\n[v3_req]      \r\nkeyUsage = keyEncipherment, dataEncipherment\r\nextendedKeyUsage = serverAuth, clientAuth   \r\nsubjectAltName = @alt_names                 \r\n[alt_names]\r\nDNS.1 = keycloak                            \r\nDNS.2 = keycloak.example.com\r\n<\/code><\/pre>\n
\u521b\u5efa\u5bc6\u94a5\u5bf9<\/p>\n
# openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout tls.key -out tls.crt -config sslcert.conf -extensions 'v3_req'\r\n\r\nls\r\nsslcert.conf  tls.crt  tls.key \r\n<\/code><\/pre>\n
\u53ef\u4ee5\u786e\u5b9a\u516c\u94a5\u7684\u7b7e\u53d1\u8005\u548c\u4e3b\u9898\u90fd\u662f\u540c\u4e00\u4e2a\u81ea\u7b7e\u540d\u8bc1\u4e66\uff08\u5373\u6240\u8c13\u7684\u81ea\u5236\u8bc1\u4e66\uff09\u3002<\/p>\n
# openssl x509 -in tls.crt --text --noout\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number:\r\n            53:e8:c5:1e:e4:6c:dd:13:59:f8:4d:81:0d:6f:56:97:06:e3:4f:f3\r\n        Signature Algorithm: sha256WithRSAEncryption\r\n        Issuer: CN = keycloak\r\n        Validity\r\n            Not Before: May  8 06:27:59 2022 GMT\r\n            Not After : May  7 06:27:59 2024 GMT\r\n        Subject: CN = keycloak\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                RSA Public-Key: (2048 bit)\r\n                Modulus:\r\n                \u30fb\u30fb\u30fb\r\n<\/code><\/pre>\n
\u4eca\u56deKeycloak\u306ePod\u306fhostPath\u3092\u7528\u3044\u3066\u30ad\u30fc\u30da\u30a2\u683c\u7d0d\u30d5\u30a9\u30eb\u30c0\u3092\u30de\u30a6\u30f3\u30c8\u3059\u308b\u305f\u3081\u6a29\u9650\u3092\u5909\u66f4\u3057\u3066\u304a\u304f\u3002
\n\u203b\u53b3\u5bc6\u306b\u306ftls.key\u306bRead\u6a29\u9650\u3092\u4ed8\u4e0e\u3057\u3066\u304a\u3051\u3070\u826f\u3044\u306f\u305a\u3002<\/p>\n
# chmod -R 777 \/srv\/keycloak-ssl \r\n<\/code><\/pre>\n
\u5c06\u516c\u5f00\u5bc6\u94a5\u914d\u7f6e\u5230\u4e3b\u8282\u70b9\u4e0a\u3002<\/p>\n
# mkdir -p \/etc\/kubernetes\/ssl\/\r\n# cp tls.crt \/etc\/kubernetes\/ssl\/kc-ca.crt\r\n# ls \/etc\/kubernetes\/ssl\/\r\nkc-ca.crt\r\n<\/code><\/pre>\n
\u521b\u5efaKeycloak\u6301\u4e45\u5316\u76ee\u5f55\u3002<\/h2>\n
\u5f53\u5c06Keycloak\u90e8\u7f72\u4e3aPod\u65f6\uff0c\u901a\u5e38\u60c5\u51b5\u4e0b\u4fe1\u606f\u5c06\u4fdd\u5b58\u5728Keycloak\u5185\u90e8\u7684\u672c\u5730\u6570\u636e\u5e93\uff08H2\uff09\u4e2d\u3002\u7136\u800c\uff0c\u5f53\u5bb9\u5668\u91cd\u65b0\u542f\u52a8\u65f6\uff0c\u8fd9\u4e9b\u6570\u636e\u5c06\u4f1a\u4e22\u5931\u3002
\n\u7406\u60f3\u60c5\u51b5\u4e0b\uff0c\u5e94\u8be5\u6307\u5b9a\u5916\u90e8\u6570\u636e\u5e93\uff08\u5982PostgreSQL\uff09\u4f5c\u4e3a\u4fdd\u5b58\u4f4d\u7f6e\u3002\u4f46\u662f\uff0c\u672c\u6b21\u6211\u4eec\u5c06\u6570\u636e\u4fdd\u5b58\u5230minikube\u865a\u62df\u673a\u4e0a\u7684\u76ee\u5f55\uff0c\u5e76\u901a\u8fc7\u5c06\u5176\u4f5c\u4e3ahostPath\u7684volumeMounts\u6302\u8f7d\u5230Pod\u4e0a\u6765\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u3002<\/p>\n
\u5728minikube\u865a\u62df\u673a\u4e0a\u521b\u5efa\u5b58\u50a8\u76ee\u5f55\u3002<\/p>\n
# mkdir -p \/srv\/keycloak\r\n# chmod -R 777 \/srv\/keycloak\r\n# ls -la \/srv\r\ntotal 0\r\ndrwxr-xr-x  4 root root  80 May  8 06:46 .\r\ndrwxr-xr-x 19 root root 500 May  8 06:24 ..\r\ndrwxrwxrwx  2 root root  40 May  8 06:46 keycloak\r\ndrwxrwxrwx  2 root root 100 May  8 06:27 keycloak-ssl\r\n<\/code><\/pre>\n
5. Keycloak\u5efa\u7acb<\/h2>\n
\u901a\u8fc7\u5177\u6709minikube\u64cd\u4f5c\u6743\u9650\u7684\u5ba2\u6237\u7aef\uff0c\u5728Kubernetes\u96c6\u7fa4\u4e0a\u5c06Keycloak\u90e8\u7f72\u4e3aPod\u3002<\/p>\n
Keycloak\u7684\u90e8\u7f72<\/h3>\n
\u6211\u4f7f\u7528\u4e86\u4e00\u90e8\u5206Keycloak\u5b98\u65b9\u6587\u6863\u4f5c\u4e3a\u53c2\u8003\uff0c\u5e76\u4fee\u6539\u4e86\u4e00\u4e9bmanifest\u3002\u7136\u540e\u4f7f\u7528\u4ee5\u4e0bmanifest\u8fdb\u884c\u90e8\u7f72\u3002<\/p>\n
Keycloak\u542f\u52a8\u914d\u7f6e\u7684\u6ce8\u610f\u4e8b\u9879\u3002<\/p>\n
dev mode\u3067\u8d77\u52d5<\/p>\n
HTTPS\u30dd\u30fc\u30c8\u306e\u6307\u5b9a\uff08\u30c7\u30d5\u30a9\u30eb\u30c88443\uff09<\/p>\n
NodePort\u3067\u30b5\u30fc\u30d3\u30b9\u3092\u516c\u958b<\/p>\n
TLS\u30ad\u30fc\u30da\u30a2\u306e\u6307\u5b9a\u3068\u683c\u7d0d\u5148\u3092hostPath\u3068\u3057\u3066\u30de\u30a6\u30f3\u30c8<\/p>\n
keycloak.yaml \u6587\u4ef6<\/p>\n
apiVersion<\/span>:<\/span> v1<\/span>\r\nkind<\/span>:<\/span> Namespace<\/span>\r\nmetadata<\/span>:<\/span>\r\n  name<\/span>:<\/span> keycloak<\/span>\r\n---<\/span>\r\napiVersion<\/span>:<\/span> v1<\/span>\r\nkind<\/span>:<\/span> Service<\/span>\r\nmetadata<\/span>:<\/span>\r\n  name<\/span>:<\/span> keycloak<\/span>\r\n  namespace<\/span>:<\/span> keycloak<\/span>\r\n  labels<\/span>:<\/span>\r\n    app<\/span>:<\/span> keycloak<\/span>\r\nspec<\/span>:<\/span>\r\n  ports<\/span>:<\/span>\r\n  -<\/span> name<\/span>:<\/span> http<\/span>\r\n    port<\/span>:<\/span> 8080<\/span>\r\n    targetPort<\/span>:<\/span> 8080<\/span>\r\n    nodePort<\/span>:<\/span> 31008<\/span> # NodePort\u3092\u660e\u793a<\/span>\r\n  -<\/span> name<\/span>:<\/span> https<\/span> # HTTP\u30a2\u30af\u30bb\u30b9\u7528\u306b8443\u30dd\u30fc\u30c8\u3092\u516c\u958b<\/span>\r\n    port<\/span>:<\/span> 8443<\/span>\r\n    targetPort<\/span>:<\/span> 8443<\/span>\r\n    nodePort<\/span>:<\/span> 32084<\/span> # NodePort\u3092\u660e\u793a<\/span>\r\n  selector<\/span>:<\/span>\r\n    app<\/span>:<\/span> keycloak<\/span>\r\n  type<\/span>:<\/span> NodePort<\/span>\r\n---<\/span>\r\napiVersion<\/span>:<\/span> apps\/v1<\/span>\r\nkind<\/span>:<\/span> Deployment<\/span>\r\nmetadata<\/span>:<\/span>\r\n  name<\/span>:<\/span> keycloak<\/span>\r\n  namespace<\/span>:<\/span> keycloak<\/span>\r\n  labels<\/span>:<\/span>\r\n    app<\/span>:<\/span> keycloak<\/span>\r\nspec<\/span>:<\/span>\r\n  replicas<\/span>:<\/span> 1<\/span>\r\n  selector<\/span>:<\/span>\r\n    matchLabels<\/span>:<\/span>\r\n      app<\/span>:<\/span> keycloak<\/span>\r\n  template<\/span>:<\/span>\r\n    metadata<\/span>:<\/span>\r\n      labels<\/span>:<\/span>\r\n        app<\/span>:<\/span> keycloak<\/span>\r\n    spec<\/span>:<\/span>\r\n      containers<\/span>:<\/span>\r\n      -<\/span> name<\/span>:<\/span> keycloak<\/span>\r\n        image<\/span>:<\/span> quay.io\/keycloak\/keycloak:18.0.0<\/span>\r\n        args<\/span>:<\/span> [<\/span>\"<\/span>start-dev\"<\/span>]<\/span> # dev mode\u3067\u8d77\u52d5<\/span>\r\n        env<\/span>:<\/span>\r\n        -<\/span> name<\/span>:<\/span> KEYCLOAK_ADMIN<\/span>\r\n          value<\/span>:<\/span> \"<\/span>admin\"<\/span>\r\n        -<\/span> name<\/span>:<\/span> KEYCLOAK_ADMIN_PASSWORD<\/span>\r\n          value<\/span>:<\/span> \"<\/span>admin\"<\/span>\r\n        -<\/span> name<\/span>:<\/span> KC_PROXY<\/span>\r\n          value<\/span>:<\/span> \"<\/span>edge\"<\/span>\r\n        -<\/span> name<\/span>:<\/span> \"<\/span>KC_HTTP_ENABLED\"<\/span> # HTTP\u63a5\u7d9a\u6709\u52b9\u5316\uff08\u30d6\u30e9\u30a6\u30b6\u30a2\u30af\u30bb\u30b9\u7528\uff09<\/span>\r\n          value<\/span>:<\/span> \"<\/span>true\"<\/span>\r\n        -<\/span> name<\/span>:<\/span> \"<\/span>KC_HTTPS_PORT\"<\/span> # HTTPS\u30dd\u30fc\u30c8<\/span>\r\n          value<\/span>:<\/span> \"<\/span>8443\"<\/span>\r\n        -<\/span> name<\/span>:<\/span> KC_HTTPS_CERTIFICATE_FILE<\/span> # \u516c\u958b\u9375\u306e\u30d1\u30b9<\/span>\r\n          value<\/span>:<\/span> \"<\/span>\/opt\/keycloak\/tls\/tls.crt\"<\/span>\r\n        -<\/span> name<\/span>:<\/span> KC_HTTPS_CERTIFICATE_KEY_FILE<\/span> # \u79d8\u5bc6\u9375\u306e\u30d1\u30b9<\/span>\r\n          value<\/span>:<\/span> \"<\/span>\/opt\/keycloak\/tls\/tls.key\"<\/span>\r\n        ports<\/span>:<\/span>\r\n        -<\/span> name<\/span>:<\/span> http<\/span>\r\n          containerPort<\/span>:<\/span> 8080<\/span>\r\n        -<\/span> name<\/span>:<\/span> https<\/span> # TLS\u7528\u306b8443\u30dd\u30fc\u30c8\u3092\u516c\u958b<\/span>\r\n          containerPort<\/span>:<\/span> 8443<\/span>\r\n        readinessProbe<\/span>:<\/span>\r\n          httpGet<\/span>:<\/span>\r\n            path<\/span>:<\/span> \/realms\/master<\/span>\r\n            port<\/span>:<\/span> 8080<\/span>\r\n        volumeMounts<\/span>:<\/span> # \u518d\u8d77\u52d5\u3057\u3066\u3082\u30c7\u30fc\u30bf\u304c\u63ee\u767a\u3057\u306a\u3044\u3088\u3046\u66ab\u5b9a\u3067hostPath\u306b\u30de\u30a6\u30f3\u30c8<\/span>\r\n        -<\/span> name<\/span>:<\/span> \"<\/span>keycloak-persistent-storage\"<\/span>\r\n          mountPath<\/span>:<\/span> \"<\/span>\/opt\/keycloak\/data\"<\/span>\r\n        -<\/span> name<\/span>:<\/span> \"<\/span>keycloak-ssl\"<\/span> # \u30ad\u30fc\u30da\u30a2\u683c\u7d0d\u5148<\/span>\r\n          mountPath<\/span>:<\/span> \"<\/span>\/opt\/keycloak\/tls\"<\/span>\r\n      volumes<\/span>:<\/span>\r\n      -<\/span> name<\/span>:<\/span> keycloak-persistent-storage<\/span>\r\n        hostPath<\/span>:<\/span>\r\n          path<\/span>:<\/span> \/srv\/keycloak<\/span>\r\n          type<\/span>:<\/span> DirectoryOrCreate<\/span>\r\n      -<\/span> name<\/span>:<\/span> keycloak-ssl<\/span> # \u8a3c\u660e\u66f8\u683c\u7d0d\u5148<\/span>\r\n        hostPath<\/span>:<\/span>\r\n          path<\/span>:<\/span> \/srv\/keycloak-ssl<\/span>     \r\n          type<\/span>:<\/span>  DirectoryOrCreate<\/span>\r\n<\/code><\/pre>\n
\u90e8\u7f72\u6267\u884c<\/p>\n
# kubectl apply -f keycloak.yaml\r\nnamespace\/keycloak created\r\nservice\/keycloak created\r\ndeployment.apps\/keycloak created\r\n\r\n# kubectl -n keycloak get all\r\nNAME                            READY   STATUS    RESTARTS   AGE\r\npod\/keycloak-679b66bbd8-l2n9g   1\/1     Running   0          5m16s\r\n\r\nNAME               TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                         AGE\r\nservice\/keycloak   NodePort   10.102.40.27   <none>        8080:31008\/TCP,8443:32084\/TCP   5m16s\r\n\r\nNAME                       READY   UP-TO-DATE   AVAILABLE   AGE\r\ndeployment.apps\/keycloak   1\/1     1            1           5m16s\r\n\r\nNAME                                  DESIRED   CURRENT   READY   AGE\r\nreplicaset.apps\/keycloak-679b66bbd8   1         1         1       5m16s\r\n<\/code><\/pre>\n
Keycloak\u540d\u524d\u89e3\u6c7a\u8a2d\u5b9a<\/h3>\n
\u7531\u4e8e\u8fd9\u6b21\u662f\u9a8c\u8bc1\uff0c\u8bf7\u5728\/etc\/hosts\u6587\u4ef6\u4e2d\u6dfb\u52a0\u8bb0\u5f55\u5e76\u8fdb\u884c\u76f8\u5e94\u7684\u5904\u7406\u3002
\n*\u5728Keycloak\u7684\u6d4f\u89c8\u5668\u8bbf\u95ee\u8bbe\u5907\u548cminikube\u865a\u62df\u673a\u4e0a\u5206\u522b\u8fdb\u884c\u6dfb\u52a0\u3002<\/p>\n
\u786e\u8ba4 minikube \u865a\u62df\u673a\u7684 IP \u5730\u5740\u3002<\/p>\n
# minikube ip\r\n192.168.59.101\r\n<\/code><\/pre>\n
\/etc\/hosts \u8bf7\u5c06\u4ee5\u4e0b\u5185\u5bb9\u7528\u4e2d\u6587\u672c\u5730\u5316\uff1a<\/p>\n
\u30fb\u30fb\u30fb\r\n<minikube VM IP>\tkeycloak.example.com\r\n\u30fb\u30fb\u30fb\r\n<\/code><\/pre>\n
6. Keycloak\u8bbf\u95ee\u786e\u8ba4<\/h2>\n
\u8fdb\u884c\u5bf9Keycloak\u7684\u8bbf\u95ee\u786e\u8ba4\u3002<\/p>\n
\u68c0\u67e5curl\u8bbf\u95ee\uff08HTTPS\uff09<\/h3>\n
\u4f7f\u7528curl\u547d\u4ee4\u4eceminikube\u865a\u62df\u673a\u9a8c\u8bc1\u662f\u5426\u53ef\u4ee5\u8fdb\u884cHTTPS\u8bbf\u95ee\u3002
\n\u7531\u4e8eKeycloak\u4f7f\u7528\u81ea\u7b7e\u540d\u8bc1\u4e66\uff0c\u56e0\u6b64\u4f7f\u7528\u516c\u94a5\u5bf9\u5176\u8fdb\u884cCA\u7b7e\u540d\u3002
\n\u56e0\u6b64\uff0c\u5728\u8fdb\u884cTLS\u8fde\u63a5\u65f6\uff0c\u5ba2\u6237\u7aef\u9700\u8981\u4fe1\u4efbKeycloak\u7684CA\u8bc1\u4e66\uff08\u5373\u516c\u94a5\uff09\uff0c\u4ee5\u5b9e\u73b0\u8bbf\u95ee\u3002<\/p>\n
# curl -v --cacert \/etc\/kubernetes\/ssl\/kc-ca.crt https:\/\/keycloak.example.com:32084\r\n<\/code><\/pre>\n
\u6d4f\u89c8\u5668\u8bbf\u95ee\u786e\u8ba4\uff08HTTP\uff09<\/h3>\n
\u4f7f\u7528\u6d4f\u89c8\u5668\u8bbf\u95ee\u4ee5\u4e0b\u7f51\u5740\u3002
\n* \u7531\u4e8e\u76f4\u63a5\u4f7f\u7528\u6d4f\u89c8\u5668\u901a\u8fc7HTTPS\u8bbf\u95ee\u65e0\u6cd5\u663e\u793a\u9875\u9762\uff08ERR_SSL_KEY_USAGE_INCOMPATIBLE\uff09\uff0c\u6545\u6539\u4e3a\u4f7f\u7528HTTP\u8bbf\u95ee\u3002<\/p>\n
http:\/\/keycloak.example.com:31008\r\n<\/code><\/pre>\n
7. Keycloak\u7684\u914d\u7f6e\u3002<\/h2>\n
\u901a\u8fc7\u6d4f\u89c8\u5668\u8bbf\u95eeKeycloak\u5e76\u8fdb\u884c\u4ee5\u4e0b\u914d\u7f6e\u3002<\/p>\n
\u8bbf\u95ee\u7ba1\u7406\u754c\u9762<\/h3>\n
\u4f7f\u7528ID\/Password=admin\u767b\u5f55\u5230\u7ba1\u7406\u63a7\u5236\u53f0\u3002<\/p>\n
\"pic2.png\"<\/div>\n
\u521b\u5efa\u9886\u57df<\/h3>\n
\u5728Keycloak\u4e2d\u521b\u5efa\u4e0e\u79df\u6237\u6982\u5ff5\u76f8\u5bf9\u5e94\u7684Realm\u3002\u672c\u6b21\u521b\u5efa\u7684Realm\u540d\u79f0\u4e3a”kubernetes”\u3002<\/p>\n
\"pic5.png\"<\/div>\n
\u521b\u5efaClients\u548cClientScopes\u3002<\/h3>\n
\u521b\u5efa\u4e00\u4e2a\u5ba2\u6237\u7aef\u5e76\u8bbe\u7f6e\u76f8\u5e94\u7684\u5ba2\u6237\u7aef\u8303\u56f4\uff0c\u4f5c\u4e3aKeycloak\u7684\u8eab\u4efd\u9a8c\u8bc1\u63a5\u6536\u7aef\u3002<\/p>\n
\u5236\u4f5c\u5ba2\u6237\u7aef<\/p>\n
Client ID: kubernetes<\/p>\n
Access Type: confidential<\/p>\n
Valid Redirect URIs: http:\/\/* https:\/\/*<\/p>\n
\"pic9.png\"<\/div>\n
\u521b\u5efa\u5ba2\u6237\u8303\u56f4<\/p>\n
Client Scope: groups<\/p>\n
Mappers: name groups\u3092\u8ffd\u52a0<\/p>\n
\"pic17.png\"<\/div>\n
\u5411\u5ba2\u6237\u7aef\u7684\u5ba2\u6237\u7aef\u8303\u56f4\u6dfb\u52a0groups\u3002<\/p>\n
\"pic20.png\"<\/div>\n
\u4ece\u5ba2\u6237\u7aef\u51ed\u636e\u4e2d\u83b7\u53d6\u5bc6\u94a5<\/p>\n
\"pic21.png\"<\/div>\n
\u521b\u5efa\u7528\u6237\u548c\u7ec4<\/h3>\n
\u521b\u5efa\u7528\u4e8e\u8ba4\u8bc1\u7684\u7528\u6237\u548c\u7ec4\u3002<\/p>\n
administrators\u3001developers\u3068\u3044\u3046\u30b0\u30eb\u30fc\u30d7\u3092\u4f5c\u6210\u3002
\n\u3053\u308c\u3089\u306e\u30b0\u30eb\u30fc\u30d7\u306b\u5bfe\u3057\u3066\u5f8c\u7a0bRBAC\u306b\u3088\u308aKubernetes\u30af\u30e9\u30b9\u30bf\u30fc\u306b\u5bfe\u3059\u308b\u6a29\u9650\u3092\u4ed8\u4e0e\u3059\u308b<\/p>\n
administrators: Kubernetes\u30af\u30e9\u30b9\u30bf\u30fc\u306e\u7ba1\u7406\u8005\u6a29\u9650\u3092\u6301\u3064\u30b0\u30eb\u30fc\u30d7<\/p>\n
developers: Kubernetes\u30af\u30e9\u30b9\u30bf\u30fc\u306b\u5bfe\u3057\u3066\u7279\u5b9a\u306e\u6a29\u9650\u306e\u307f\u3057\u304b\u6301\u305f\u306a\u3044\u30b0\u30eb\u30fc\u30d7<\/p>\n
\u5c3d\u7ba1\u622a\u56fe\u53ea\u663e\u793a\u4e86\u7ba1\u7406\u5458\u7684\u521b\u5efa\uff0c\u4f46\u4e5f\u8981\u540c\u6837\u521b\u5efa\u5f00\u53d1\u4eba\u5458\u3002<\/p>\n
\"pic24.png\"<\/div>\n
\u521b\u5efa\u540d\u4e3aadmin-user\u548cdev-user\u7684\u7528\u6237\u3002<\/p>\n
admin-user: administrators\u30b0\u30eb\u30fc\u30d7\u306b\u6240\u5c5e<\/p>\n
dev-user: developers\u30b0\u30eb\u30fc\u30d7\u306b\u6240\u5c5e<\/p>\n
\u53ea\u663e\u793a\u4e86\u521b\u5efaadmin-user\uff0c\u4f46\u662f\u9700\u8981\u540c\u6837\u521b\u5efadev-user\u3002
\n\u5bc6\u7801\u53ef\u4ee5\u8bbe\u7f6e\u4e3a\u4efb\u610f\u503c\uff08\u5728\u6b64\u8bbe\u7f6e\u4e3aP@ssw0rd\uff09\u3002<\/p>\n
\"pic27.png\"<\/div>\n
\u78ba\u8a8d<\/h3>\n
\u786e\u8ba4\u53ef\u4ee5\u901a\u8fc7\u4ee5\u4e0b\u547d\u4ee4\u5728Keycloak\u4e0a\u8fdb\u884c\u8ba4\u8bc1\uff0c\u5e76\u83b7\u53d6id-token\u548crefresh-token\u3002<\/p>\n
# curl -k -d \"grant_type=password\" -d \"scope=openid\" -d \"client_id=kubernetes\" -d \"client_secret=<client=kubernetes\u306eSecret>\" -d \"username=<Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u540d>\" -d \"password=<Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u30d1\u30b9\u30ef\u30fc\u30c9>\" https:\/\/keycloak.example.com:32084\/realms\/kubernetes\/protocol\/openid-connect\/token | jq .\r\n\r\n\u30fb\u30fb\u30fb\r\n{\r\n  \"access_token\": \u30fb\u30fb\u30fb,\r\n  \"expires_in\": 300,\r\n  \"refresh_expires_in\": 1800,\r\n  \"refresh_token\": \u30fb\u30fb\u30fb\r\n  \"id_token\": \u30fb\u30fb\u30fb,\r\n  \"not-before-policy\": 0,\r\n  \"session_state\": \u30fb\u30fb\u30fb,\r\n  \"scope\": \"openid profile email groups\"\r\n}\r\n<\/code><\/pre>\n
\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5bf9\u6bcf\u4e2a\u4ee4\u724c\u8fdb\u884c\u9a8c\u8bc1\u3002<\/p>\n
exp: token\u6709\u52b9\u671f\u9650\uff08UNIX\u6642\u9593\uff09<\/p>\n
iat: token\u767a\u884c\u6642\u9593\uff08UNIX\u6642\u9593\uff09<\/p>\n
active: token\u306e\u6709\u52b9\u6709\u7121<\/p>\n
# curl -k --user \"kubernetes:<client=kubernetes\u306esecret>\" -d \"token=<token>\" https:\/\/keycloak.example.com:32084\/realms\/kubernetes\/protocol\/openid-connect\/token\/introspect | jq .\r\n\r\n\u30fb\u30fb\u30fb\r\n{\r\n  \"exp\": 1651997178,\r\n  \"iat\": 1651996878,\r\n  \u30fb\u30fb\u30fb\r\n  \"active\": true\r\n}\r\n<\/code><\/pre>\n
8. Kubernetes\u7684API\u670d\u52a1\u5668\u914d\u7f6e<\/h2>\n
kube-apiserver\u304cKeycloak\u3092\u7528\u3044\u3066OIDC\u8a8d\u8a3c\u3092\u884c\u3046\u305f\u3081\u306e\u8a2d\u5b9a\u3092\u884c\u3046\u3002
\nminikube VM\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3001kube-apiserver\u306emanifest\u306b\u8d77\u52d5OP\u304a\u3088\u3073KeycloakCA\u8a3c\u660e\u66f8\uff08=\u516c\u958b\u9375)\u683c\u7d0d\u5148\u3092volumeMounts\u3059\u308b\u3002
\n\u306a\u304a\u3001kube-apiserver\u306fStatic Pod\u3068\u3057\u3066\u8d77\u52d5\u3057\u3066\u3044\u308b\u305f\u3081manifest\u5909\u66f4\u5f8c\u306b\u81ea\u52d5\u7684\u306b\u518d\u30c7\u30d7\u30ed\u30a4\u3055\u308c\u308b\u3002<\/p>\n
\/etc\/kubernetes\/manifests\/kube-apiserver.yaml<\/p>\n
\u30fb\u30fb\u30fb<\/span>\r\nspec<\/span>:<\/span>\r\n  containers<\/span>:<\/span>\r\n  -<\/span> command<\/span>:<\/span>\r\n    -<\/span> kube-apiserver<\/span>\r\n    \u30fb\u30fb\u30fb<\/span>\r\n    -<\/span> --oidc-issuer-url=https:\/\/keycloak.example.com:32084\/realms\/kubernetes<\/span>\r\n    -<\/span> --oidc-client-id=kubernetes<\/span>\r\n    -<\/span> --oidc-username-claim=name<\/span>\r\n    -<\/span> --oidc-groups-claim=groups<\/span>\r\n    -<\/span> --oidc-ca-file=\/etc\/kubernetes\/ssl\/kc-ca.crt<\/span>\r\n    \u30fb\u30fb\u30fb<\/span>\r\n    volumeMounts<\/span>:<\/span>\r\n    \u30fb\u30fb\u30fb<\/span>\r\n    -<\/span> mountPath<\/span>:<\/span> \/etc\/kubernetes\/ssl<\/span>\r\n      name<\/span>:<\/span> keycloak-ca-certificates<\/span>\r\n      readOnly<\/span>:<\/span> true<\/span>\r\n  \u30fb\u30fb\u30fb<\/span>\r\n  volumes<\/span>:<\/span> \r\n  \u30fb\u30fb\u30fb<\/span>\r\n  -<\/span> hostPath<\/span>:<\/span>\r\n      path<\/span>:<\/span> \/etc\/kubernetes\/ssl<\/span>\r\n      type<\/span>:<\/span> DirectoryOrCreate<\/span>\r\n    name<\/span>:<\/span> keycloak-ca-certificates<\/span>\r\nstatus<\/span>:<\/span> {}<\/span> \r\n<\/code><\/pre>\n
9. \u5236\u5b9aRBAC\u7cfb\u7edf<\/h2>\n
Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30b0\u30eb\u30fc\u30d7\u306b\u5bfe\u3057\u3066RBAC\u306e\u8a2d\u5b9a\u3092\u884c\u3046\u3002
\n\u4eca\u56de\u306f\u305d\u308c\u305e\u308c\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u6a29\u9650\u8a2d\u5b9a\u3068\u3059\u308b\u3002<\/p>\n
administrators: \u30af\u30e9\u30b9\u30bf\u30fc\u306b\u5bfe\u3059\u308b\u5168\u3066\u306e\u6a29\u9650\u3092\u4ed8\u4e0e\uff08\u30d3\u30eb\u30c9\u30a4\u30f3\u306eClusterRole=cluster-admin\u3092\u30d0\u30a4\u30f3\u30c9\uff09<\/p>\n
developers: Namespace\u3068Pod\u306e\u53c2\u7167\u6a29\u9650\u306e\u307f\u3092\u4ed8\u4e0e\uff08\u72ec\u81ea\u3067ClusterRole=developer-role\u3092\u4f5c\u6210\u3057\u3066\u30d0\u30a4\u30f3\u30c9\uff09<\/p>\n
\u7ba1\u7406\u5458\u89d2\u8272\u914d\u7f6e\u6587\u4ef6.yaml<\/p>\n
kind<\/span>:<\/span> ClusterRoleBinding<\/span>\r\napiVersion<\/span>:<\/span> rbac.authorization.k8s.io\/v1<\/span>\r\nmetadata<\/span>:<\/span>\r\n  name<\/span>:<\/span> administrator-crb<\/span>\r\nroleRef<\/span>:<\/span>\r\n  apiGroup<\/span>:<\/span> rbac.authorization.k8s.io<\/span>\r\n  kind<\/span>:<\/span> ClusterRole<\/span>\r\n  name<\/span>:<\/span> cluster-admin<\/span>\r\nsubjects<\/span>:<\/span>\r\n-<\/span> kind<\/span>:<\/span> Group<\/span>\r\n  name<\/span>:<\/span> \"<\/span>administrators\"<\/span>\r\n  apiGroup<\/span>:<\/span> rbac.authorization.k8s.io<\/span>\r\n<\/code><\/pre>\n
devrole.yaml-\u8bf7\u5c06devrole.yaml\u8fdb\u884c\u91ca\u4e49\u3002<\/p>\n
kind<\/span>:<\/span> ClusterRole<\/span>\r\napiVersion<\/span>:<\/span> rbac.authorization.k8s.io\/v1<\/span>\r\nmetadata<\/span>:<\/span>\r\n  name<\/span>:<\/span> developer-role<\/span>\r\nrules<\/span>:<\/span>\r\n  -<\/span> apiGroups<\/span>:<\/span> [<\/span>\"<\/span>\"<\/span>]<\/span>\r\n    resources<\/span>:<\/span> [<\/span>\"<\/span>namespaces\"<\/span>,<\/span>\"<\/span>pods\"<\/span>]<\/span>\r\n    verbs<\/span>:<\/span> [<\/span>\"<\/span>get\"<\/span>,<\/span> \"<\/span>watch\"<\/span>,<\/span> \"<\/span>list\"<\/span>]<\/span>\r\n---<\/span>\r\nkind<\/span>:<\/span> ClusterRoleBinding<\/span>\r\napiVersion<\/span>:<\/span> rbac.authorization.k8s.io\/v1<\/span>\r\nmetadata<\/span>:<\/span>\r\n  name<\/span>:<\/span> developer-crb<\/span>\r\nroleRef<\/span>:<\/span>\r\n  apiGroup<\/span>:<\/span> rbac.authorization.k8s.io<\/span>\r\n  kind<\/span>:<\/span> ClusterRole<\/span>\r\n  name<\/span>:<\/span> developer-role<\/span>\r\nsubjects<\/span>:<\/span>\r\n-<\/span> kind<\/span>:<\/span> Group<\/span>\r\n  name<\/span>:<\/span> \"<\/span>developers\"<\/span>\r\n  apiGroup<\/span>:<\/span> rbac.authorization.k8s.io<\/span>\r\n<\/code><\/pre>\n
\u30af\u30e9\u30b9\u30bf\u30fc\u306b\u9069\u7528<\/p>\n
# kubectl apply -f adminrole.yaml\r\nclusterrolebinding.rbac.authorization.k8s.io\/administrator-crb created\r\n\r\n# kubectl apply -f devrole.yaml\r\nclusterrole.rbac.authorization.k8s.io\/developer-role created\r\nclusterrolebinding.rbac.authorization.k8s.io\/developer-crb created\r\n<\/code><\/pre>\n
10.kubectl\u306e\u8a2d\u5b9a<\/h2>\n
kubectl\u306b\u306fOIDC ID \u30d7\u30ed\u30d0\u30a4\u30c0\u30fc\u306b\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u4ed5\u7d44\u307f\u304c\u7528\u610f\u3055\u308c\u3066\u3044\u306a\u3044\u305f\u3081\u3001
\n\u624b\u52d5\u3067\u30ed\u30b0\u30a4\u30f3\u304a\u3088\u3073kubeconfig\u3078\u306etoken\u8a2d\u5b9a\u3092\u884c\u3046\u3002<\/p>\n
\"pic28.png\"<\/div>\n
\u4f3c\u4e4e\u5b58\u5728\u4e00\u79cd\u53ef\u4ee5\u901a\u8fc7kubectl\u8fdb\u884c\u767b\u5f55\u7684\u63d2\u4ef6\u3002kubelogin \u53ef\u5728 GitHub \u4e0a\u627e\u5230\uff1ahttps:\/\/github.com\/int128\/kubelogin\u3002<\/p>\n
\u6b65\u9aa41\uff1a\u767b\u5f55Keycloak<\/h3>\n
\u53ef\u4ee5\u901a\u8fc7\u4ee5\u4e0b\u547d\u4ee4\u5728Keycloak\u4e0a\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff0c\u83b7\u53d6id-token\u548crefresh-token\u3002<\/p>\n
# curl -k -d \"grant_type=password\" -d \"scope=openid\" -d \"client_id=kubernetes\" -d \"client_secret=<client=kubernetes\u306esecret>\" -d \"username=<Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u540d>\" -d \"password=<Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u30d1\u30b9\u30ef\u30fc\u30c9>\" https:\/\/keycloak.example.com:32084\/realms\/kubernetes\/protocol\/openid-connect\/token | jq .\r\n<\/code><\/pre>\n
\u6b65\u9aa42\uff1a\u8bbe\u7f6ekubeconfig\u914d\u7f6e\u6587\u4ef6<\/h3>\n
\u4f7f\u7528\u83b7\u5f97\u7684id-token\u548crefresh-token\u6765\u914d\u7f6ekubeconfig\u3002<\/p>\n
# kubectl config set-credentials <Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u540d> \\\r\n    \"--auth-provider=oidc\" \\\r\n    \"--auth-provider-arg=idp-issuer-url=https:\/\/keycloak.example.com:32084\/realms\/kubernetes\" \\\r\n    \"--auth-provider-arg=client-id=kubernetes\" \\\r\n    \"--auth-provider-arg=idp-certificate-authority=<keycloak\u516c\u958b\u9375\u306e\u30d1\u30b9>\" \\\r\n    \"--auth-provider-arg=client-secret=<client=kubernetes\u306esecret>\" \\\r\n    \"--auth-provider-arg=id-token=<id-token>\" \\\r\n    \"--auth-provider-arg=refresh-token=<refresh-token>\"\r\n    \r\n# kubectl config set-context <Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u540d>@<kubeconfig\u3067\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u308bk8s\u30af\u30e9\u30b9\u30bf\u540d> --cluster=<kubeconfig\u3067\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u308bk8s\u30af\u30e9\u30b9\u30bf\u540d> --user=<Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u540d>\r\n\r\n# kubectl config use-context <Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u540d>@<kubeconfig\u3067\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u308bk8s\u30af\u30e9\u30b9\u30bf\u540d>\r\nSwitched to context \"<Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u540d>@<kubeconfig\u3067\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u308bk8s\u30af\u30e9\u30b9\u30bf\u540d>\".\r\n<\/code><\/pre>\n
\u4f7f\u7528shell\u811a\u672c\u4e00\u6b21\u6027\u6267\u884c\u4e0a\u8ff0\u64cd\u4f5c<\/p>\n
#!\/bin\/bash<\/span>\r\n\r\nscope<\/span>=<\/span>openid\r\nclient_id<\/span>=<\/span>kubernetes\r\nclient_secret<\/span>=<\/span><client<\/span>=<\/span>kubernetes\u306esecret>\r\nusername<\/span>=<\/span><Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u540d>\r\npassword<\/span>=<\/span><Keycloak\u3067\u4f5c\u6210\u3057\u305f\u30e6\u30fc\u30b6\u30fc\u30d1\u30b9\u30ef\u30fc\u30c9>\r\noidc_url<\/span>=<\/span>https:\/\/keycloak.example.com:32084\/realms\/kubernetes\/protocol\/openid-connect\/token\r\nrealm_url<\/span>=<\/span>https:\/\/keycloak.example.com:32084\/realms\/kubernetes\r\ncertificate<\/span>=<\/span><keycloak\u516c\u958b\u9375\u306e\u30d1\u30b9>\r\ncluster<\/span>=<\/span><kubeconfig\u3067\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u308bk8s\u30af\u30e9\u30b9\u30bf\u540d>\r\n\r\n### Generate Authentication token<\/span>\r\n\r\njson_data<\/span>=<\/span>`<\/span>curl -k<\/span> -d<\/span> \"grant_type=password\"<\/span> -d<\/span> \"scope=<\/span>${<\/span>scope<\/span>}<\/span>\"<\/span> -d<\/span> \"client_id=<\/span>${<\/span>client_id<\/span>}<\/span>\"<\/span> -d<\/span> \"client_secret=<\/span>${<\/span>client_secret<\/span>}<\/span>\"<\/span> -d<\/span> \"username=<\/span>${<\/span>username<\/span>}<\/span>\"<\/span> -d<\/span> \"password=<\/span>${<\/span>password<\/span>}<\/span>\"<\/span> ${<\/span>oidc_url<\/span>}<\/span>`<\/span>\r\n\r\nid_token<\/span>=<\/span>`<\/span>echo<\/span> $json_data<\/span> | jq '.id_token'<\/span> | tr<\/span> -d<\/span> '\"'<\/span>`<\/span>\r\nrefresh_token<\/span>=<\/span>`<\/span>echo<\/span> $json_data<\/span> | jq '.refresh_token'<\/span> | tr<\/span> -d<\/span> '\"'<\/span>`<\/span>\r\naccess_token<\/span>=<\/span>`<\/span>echo<\/span> $json_data<\/span> | jq '.access_token'<\/span> | tr<\/span> -d<\/span> '\"'<\/span>`<\/span>\r\n\r\n### Print tokens<\/span>\r\n\r\necho<\/span> \"ID_TOKEN=<\/span>$id_token<\/span>\"<\/span>;<\/span> echo\r\necho<\/span> \"REFRESH_TOKEN=<\/span>$refresh_token<\/span>\"<\/span>;<\/span> echo\r\necho<\/span> \"ACCESS_TOKEN=<\/span>$access_token<\/span>\"<\/span>;<\/span> echo<\/span>\r\n\r\n### Introspect the id token<\/span>\r\n\r\ntoken<\/span>=<\/span>`<\/span>curl -k<\/span> --user<\/span> \"<\/span>${<\/span>client_id<\/span>}<\/span>:<\/span>${<\/span>client_secret<\/span>}<\/span>\"<\/span> -d<\/span> \"token=<\/span>${<\/span>id_token<\/span>}<\/span>\"<\/span> ${<\/span>oidc_url<\/span>}<\/span>\/introspect`<\/span>\r\ntoken_details<\/span>=<\/span>`<\/span>echo<\/span> $token<\/span> | jq .`<\/span>\r\necho<\/span> $token_details<\/span>\r\n\r\n### Update kubectl config<\/span>\r\n\r\nkubectl config set-credentials ${<\/span>username<\/span>}<\/span> \\<\/span>\r\n    \"--auth-provider=oidc\"<\/span> \\<\/span>\r\n    \"--auth-provider-arg=idp-issuer-url=<\/span>${<\/span>realm_url<\/span>}<\/span>\"<\/span> \\<\/span>\r\n    \"--auth-provider-arg=client-id=<\/span>${<\/span>client_id<\/span>}<\/span>\"<\/span> \\<\/span>\r\n    \"--auth-provider-arg=client-secret=<\/span>${<\/span>client_secret<\/span>}<\/span>\"<\/span> \\<\/span>\r\n    \"--auth-provider-arg=refresh-token=<\/span>${<\/span>refresh_token<\/span>}<\/span>\"<\/span> \\<\/span>\r\n    \"--auth-provider-arg=idp-certificate-authority=<\/span>${<\/span>certificate<\/span>}<\/span>\"<\/span> \\<\/span>\r\n    \"--auth-provider-arg=id-token=<\/span>${<\/span>id_token<\/span>}<\/span>\"<\/span>\r\n\r\n### Create new context<\/span>\r\n\r\nkubectl config set-context ${<\/span>username<\/span>}<\/span>@${<\/span>cluster<\/span>}<\/span> --cluster<\/span>=<\/span>${<\/span>cluster<\/span>}<\/span> --user<\/span>=<\/span>${<\/span>username<\/span>}<\/span>\r\n\r\n### Set current context<\/span>\r\nkubectl config use-context ${<\/span>username<\/span>}<\/span>@${<\/span>cluster<\/span>}<\/span> \r\n\r\n### Validate access with new context<\/span>\r\n\r\nkubectl get pods\r\n\r\n<\/code><\/pre>\n
11. \u78ba\u8a8d\u884c\u52d5<\/h2>\n
\u4f7f\u7528\u5728Keycloak\u4e0a\u521b\u5efa\u7684\u7528\u6237\u6765\u9a8c\u8bc1\u5bf9Kubernetes\u96c6\u7fa4\u7684\u8bbf\u95ee\u6743\u9650\u3002<\/p>\n
\u7ba1\u7406\u5458 – \u7528\u6237<\/h3>\n
\u5bf9\u4e8e\u96c6\u7fa4\uff0c\u53ef\u4ee5\u6267\u884c\u6240\u6709\u64cd\u4f5c\u3002<\/p>\n
# kubectl -n kube-system get all\r\nNAME                                   READY   STATUS    RESTARTS      AGE\r\npod\/coredns-64897985d-dn9c4            1\/1     Running   0             125m\r\npod\/etcd-minikube                      1\/1     Running   0             125m\r\npod\/kube-apiserver-minikube            1\/1     Running   0             15m\r\npod\/kube-controller-manager-minikube   1\/1     Running   0             125m\r\npod\/kube-proxy-gbw5v                   1\/1     Running   0             125m\r\npod\/kube-scheduler-minikube            1\/1     Running   0             125m\r\npod\/storage-provisioner                1\/1     Running   4 (15m ago)   125m\r\n\r\nNAME               TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                  AGE\r\nservice\/kube-dns   ClusterIP   10.96.0.10   <none>        53\/UDP,53\/TCP,9153\/TCP   125m\r\n\r\nNAME                        DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE\r\ndaemonset.apps\/kube-proxy   1         1         1       1            1           kubernetes.io\/os=linux   125m\r\n\r\nNAME                      READY   UP-TO-DATE   AVAILABLE   AGE\r\ndeployment.apps\/coredns   1\/1     1            1           125m\r\n\r\nNAME                                DESIRED   CURRENT   READY   AGE\r\nreplicaset.apps\/coredns-64897985d   1         1         1       125m\r\n<\/code><\/pre>\n
\u4eb2\u7231\u7684\u7528\u6237<\/h3>\n
\u53c2\u7167\u672a\u7ecf\u8bb8\u53ef\u7684\u8d44\u6e90\u4f1a\u5bfc\u81f4\u9519\u8bef\u3002<\/p>\n
# kubectl -n kube-system get all\r\nNAME                               READY   STATUS    RESTARTS      AGE\r\ncoredns-64897985d-dn9c4            1\/1     Running   0             128m\r\netcd-minikube                      1\/1     Running   0             128m\r\nkube-apiserver-minikube            1\/1     Running   0             17m\r\nkube-controller-manager-minikube   1\/1     Running   0             128m\r\nkube-proxy-gbw5v                   1\/1     Running   0             128m\r\nkube-scheduler-minikube            1\/1     Running   0             128m\r\nstorage-provisioner                1\/1     Running   4 (18m ago)   128m\r\nError from server (Forbidden): replicationcontrollers is forbidden: User \"https:\/\/keycloak.example.com:32084\/realms\/kubernetes#user dev\" cannot list resource \"replicationcontrollers\" in API group \"\" in the namespace \"kube-system\"\r\nError from server (Forbidden): services is forbidden: User \"https:\/\/keycloak.example.com:32084\/realms\/kubernetes#user dev\" cannot list resource \"services\" in API group \"\" in the namespace \"kube-system\"\r\nError from server (Forbidden): daemonsets.apps is forbidden: User \"https:\/\/keycloak.example.com:32084\/realms\/kubernetes#user dev\" cannot list resource \"daemonsets\" in API group \"apps\" in the namespace \"kube-system\"\r\nError from server (Forbidden): deployments.apps is forbidden: User \"https:\/\/keycloak.example.com:32084\/realms\/kubernetes#user dev\" cannot list resource \"deployments\" in API group \"apps\" in the namespace \"kube-system\"\r\nError from server (Forbidden): replicasets.apps is forbidden: User \"https:\/\/keycloak.example.com:32084\/realms\/kubernetes#user dev\" cannot list resource \"replicasets\" in API group \"apps\" in the namespace \"kube-system\"\r\nError from server (Forbidden): statefulsets.apps is forbidden: User \"https:\/\/keycloak.example.com:32084\/realms\/kubernetes#user dev\" cannot list resource \"statefulsets\" in API group \"apps\" in the namespace \"kube-system\"\r\nError from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User \"https:\/\/keycloak.example.com:32084\/realms\/kubernetes#user dev\" cannot list resource \"horizontalpodautoscalers\" in API group \"autoscaling\" in the namespace \"kube-system\"\r\nError from server (Forbidden): cronjobs.batch is forbidden: User \"https:\/\/keycloak.example.com:32084\/realms\/kubernetes#user dev\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"kube-system\"\r\nError from server (Forbidden): jobs.batch is forbidden: User \"https:\/\/keycloak.example.com:32084\/realms\/kubernetes#user dev\" cannot list resource \"jobs\" in API group \"batch\" in the namespace \"kube-system\"\r\n<\/code><\/pre>\n
\u7ee7\u7eed<\/h2>\n
\u4f7f\u7528Keycloak\u7684OIDC\u8eab\u4efd\u9a8c\u8bc1\u5728Kubernetes\u4e0a\u8fdb\u884c\u79df\u6237\u63a7\u5236\u3002<\/p>\n
\u8bf7\u9605\u8bfb\u4ee5\u4e0b\u5185\u5bb9\u3002<\/h2>\n
Keycloak\/\u5165\u95e8\/Kubernetes
\nhttps:\/\/www.keycloak.org\/\u5165\u95e8\/\u5165\u95e8-kube<\/p>\n
Kubernetes\/\u8eab\u4efd\u9a8c\u8bc1
\nhttps:\/\/kubernetes.io\/zh\/docs\/reference\/access-authn-authz\/authentication\/#openid-connect-tokens<\/p>\n
\u5982\u4f55\u5728Kubernetes\u4e2d\u4f7f\u7528Keycloak OIDC\u63d0\u4f9b\u8005\u5bf9\u7528\u6237\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1<\/p>\n
How to authenticate user with Keycloak OIDC Provider in Kubernetes<\/a><\/p><\/blockquote>\n