wget https://dl.google.com/go/go1.14.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.14.linux-amd64.tar.gz
echo "PATH=$PATH:/usr/local/go/bin" >>~/.bashrc && . ~/.bashrc
#check
go version
git clone https://github.com/jotapff/k8s-samba-authentication.git
cd k8s-samba-authentication
go get github.com/go-ldap/ldap
go get k8s.io/api/authentication/v1
Edit file main.go with base on the LDAP/SAMBA configuration
nano main.go
#Line 18 - If the LDAP server is configured "over ssl/tls"
ldapURL = "ldaps://" + os.Args[1]
#Line 95
user := fmt.Sprintf("%s@KUBER.NET", username)
#Line 104
"cn=Users,dc=kuber,dc=net"
GOOS=linux GOARCH=amd64 go build main.go
Create self-signed certificate. It is recomended to use a certificate signed by a CA
openssl req -x509 -newkey rsa:2048 -nodes \
-subj "/CN=localhost" \
-keyout key.pem \
-out cert.pem
./main SERVER-LDAP key.pem cert.pem &>/var/log/k8s-samba-authentication.log &
nano testldap.json
{
"apiVersion": "authentication.k8s.io/v1",
"kind": "TokenReview",
"spec": {
"token": "user:userpassword"
}
}
curl -k -X POST -d @testldap.json https://127.0.0.1
# If the status is empty the webhook is not working
"status": {
"user": {}
}
nano /etc/systemd/system/webhook.service
[Unit]
Description=Samba AD Webhook Authentication Server
After=network.target
[Service]
Type=simple
ExecStart=/root/k8s-samba-authentication/main 127.0.0.1 /root/k8s-samba-authentication/key.pem /root/k8s-samba-authentication/cert.pem
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target
systemctl start webhook.service
systemctl enable webhook.service
#Install kubeadm and Docker
curl -o- https://raw.githubusercontent.com/jotapff/k8s-docker-Install-Script-Ubuntu/master/install.sh | bash
cat <<EOF > /root/webhook-config.yaml
apiVersion: v1
kind: Config
clusters:
- name: authn
cluster:
server: https://X.X.X.X #WebHook Server
insecure-skip-tls-verify: true #If the certificate isn't signed by a CA
users:
- name: kube-apiserver
contexts:
- context:
cluster: authn
user: kube-apiserver
name: authn
current-context: authn
EOF
cat <<EOF >kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
apiServer:
extraVolumes:
- name: authentication-token-webhook-config-file
mountPath: /etc/webhook-config.yaml
hostPath: /root/webhook-config.yaml
extraArgs:
authentication-token-webhook-config-file: /etc/webhook-config.yaml
certSANs:
- X.X.X.X #IP address Kubernetes API server listens
networking:
podSubnet: "10.244.0.0/16"
EOF
kubeadm config migrate --old-config kubeadm-config.yaml --new-config kubeadm-config-new.yaml
kubeadm init --config kubeadm-config-new.yaml
#Install a CNI plugin.
#Example the Flannel
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
#Create the ClusterRole or Roles to the users or groups
#For example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-admin-group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: Group
name: kuberadmin
apiGroup: rbac.authorization.k8s.io
kubectl config set-credentials testuser \
--token user:userpassword
kubectl config set-context user-context \
--cluster=kubernetes --user=user
kubectl config use-context user-context
kubectl config set-cluster kubernetes \
--insecure-skip-tls-verify=true \
--server https://X.X.X.X:6443