OpenShift 4 - 利用 OpenShift 的 OAuth Proxy 实现应用身份认证

OpenShift / RHEL / DevSecOps 汇总目录

说明:本文已经在 OpenShift 4.13 的环境中验证

文章目录

说明

  • 本文需要集群中除了管理员外还有一个一般用户。另外除了特殊说明,默认都是用集群管理员进行操作。
  • 在浏览器中如果需要重新登录,需要清楚浏览器的 Cookie。

部署测试应用

  1. 依次执行以下命令,创建应用资源。
yaml 复制代码
$ oc new-project reverse-words
$ cat << EOF | oc apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: reverse-words
  labels:
    name: reverse-words
spec:
  replicas: 1
  selector:
    matchLabels:  
      name: reverse-words
  template:
    metadata:
      labels:
        name: reverse-words
    spec:
      containers:
        - name: reverse-words
          image: quay.io/mavazque/reversewords:latest 
          imagePullPolicy: Always
          ports:
            - name: reverse-words
              containerPort: 8080
              protocol: TCP
EOF

$ cat << EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  labels:
    name: reverse-words
  name: reverse-words
spec:
  ports:
  - name: app
    port: 8080
    protocol: TCP
    targetPort: reverse-words
  selector:
    name: reverse-words
  sessionAffinity: None
  type: ClusterIP
EOF

$ oc create route edge reverse-words --service=reverse-words --port=app --insecure-policy=Redirect
  1. 访问应用,确认可以将字符串反转。
bash 复制代码
$ curl -k https://$(oc get route reverse-words -o jsonpath='{.spec.host}') -X POST -d '{"word": "ABCD"}'
{"reverse_word":"DCBA"}

只有认证用户才能访问

  1. 创建 OAuth Proxy 用来为登录会话 cookie 加密的 Secret。
bash 复制代码
$ oc create secret generic reversewords-proxy --from-literal=session_secret=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c43)
  1. 创建应用使用的 serviceaccount,并通过注释说明未登录时重定向 OAuth-Proxy 的登录 route。
bash 复制代码
$ oc create serviceaccount reversewords
$ oc annotate serviceaccount reversewords serviceaccounts.openshift.io/oauth-redirectreference.reversewords='{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"reverse-words-authenticated"}}'
  1. 更新 Deployment 和 Service。注意:本文 OpenShift 版本 4.13,所以镜像使用的是 quay.io/openshift/origin-oauth-proxy:4.13
yaml 复制代码
$ cat << EOF | oc replace -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: reverse-words
  labels:
    name: reverse-words
spec:
  replicas: 1
  selector:
    matchLabels:  
      name: reverse-words
  template:
    metadata:
      labels:
        name: reverse-words
    spec:
      containers:
        - name: reverse-words
          image: quay.io/mavazque/reversewords:latest 
          imagePullPolicy: Always
          ports:
            - name: reverse-words
              containerPort: 8080
              protocol: TCP
        - name: oauth-proxy 
          args:
            - -provider=openshift
            - -https-address=:8888
            - -http-address=
            - -email-domain=*
            - -upstream=http://localhost:8080
            - -tls-cert=/etc/tls/private/tls.crt
            - -tls-key=/etc/tls/private/tls.key
            - -cookie-secret-file=/etc/proxy/secrets/session_secret
            - -openshift-service-account=reversewords
            - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
            - -skip-auth-regex=^/metrics
          image: quay.io/openshift/origin-oauth-proxy:4.13
          imagePullPolicy: IfNotPresent
          ports:
            - name: oauth-proxy
              containerPort: 8888    
              protocol: TCP
          volumeMounts:
            - mountPath: /etc/tls/private
              name: secret-reversewords-tls
            - mountPath: /etc/proxy/secrets
              name: secret-reversewords-proxy
      serviceAccountName: reversewords
      volumes:
        - name: secret-reversewords-tls
          secret:
            defaultMode: 420
            secretName: reversewords-tls
        - name: secret-reversewords-proxy
          secret:
            defaultMode: 420
            secretName: reversewords-proxy
EOF 
 
$ cat << EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.alpha.openshift.io/serving-cert-secret-name: reversewords-tls
  labels:
    name: reverse-words
  name: reverse-words
spec:
  ports:
  - name: proxy
    port: 8888
    protocol: TCP
    targetPort: oauth-proxy
  - name: app
    port: 8080
    protocol: TCP
    targetPort: reverse-words
  selector:
    name: reverse-words
  sessionAffinity: None
  type: ClusterIP
EOF
  1. 创建需登录才能访问的 Route。
bash 复制代码
$ oc create route reencrypt reverse-words-authenticated --service=reverse-words --port=proxy --insecure-policy=Redirect
  1. 打开下图中下面的 Route 地址。
  2. 确认会转向登录跳转确认页面,在登录后即可访问到应用。
  3. 通过以下方式直接访问应用受保护的访问地址,会显示 403 错误。
bash 复制代码
$ curl -k -I https://$(oc get route reverse-words-authenticated -o jsonpath='{.spec.host}')
HTTP/1.1 403 Forbidden
set-cookie: _oauth_proxy=; Path=/; Domain=reverse-words-authenticated-reverse-words.apps-crc.testing; Expires=Tue, 08 Aug 2023 05:22:50 GMT; HttpOnly; Secure
date: Tue, 08 Aug 2023 06:22:50 GMT
content-type: text/html; charset=utf-8
set-cookie: 24c429aac95893475d1e8c1316adf60f=facc03c3f22d98ccfadcfddc67771fd9; path=/; HttpOnly; Secure; SameSite=None
  1. 通过以下方式直接访问应用受保护的访问地址,可以从返回结果看出实际是登录跳转确认页面。
bash 复制代码
$ curl -k -L https://$(oc get route reverse-words-authenticated -o jsonpath='{.spec.host}')

只有有权的用户才能访问

  1. 修改 Deployment,在 container 的参数区域增加以下 2 个参数。
yaml 复制代码
- -openshift-service-account=reversewords
- -openshift-sar={"resource":"namespaces","resourceName":"reverse-words","namespace":"reverse-words","verb":"get"}
  1. 然后在访问应用的时候使用非管理员用户登录,可以看到以下 403 Permission Denied 提示页面。这是由于该应用以及所属项目是管理员创建的,所以一般用户无权访问。
bash 复制代码
$ oc s adm policy add-role-to-user view developer

使用 ServiceAccount 访问

yaml 复制代码
$ cat << EOF | oc apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  # Without this role your oauth-proxy will output
  # Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: 
  # User "system:serviceaccount:reverse-words:reversewords" cannot create resource "tokenreviews" in API 
  # group "authentication.k8s.io" at the cluster scope
  name: oauth-create-tokenreviews
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: reversewords
  namespace: reverse-words
EOF
bash 复制代码
$ oc create serviceaccount robot-user
$ oc adm policy add-role-to-user view -z robot-user
yaml 复制代码
- -openshift-sar={"resource":"namespaces","resourceName":"reverse-words","namespace":"reverse-words","verb":"get"}
- -openshift-delegate-urls={"/":{"resource":"pods","namespace":"reverse-words","verb":"get"}}
bash 复制代码
$ TOKEN=$(oc -n reverse-words create token robot-user)
$ curl -k -H "Authorization: Bearer ${TOKEN}" https://$(oc get route reverse-words-authenticated -o jsonpath='{.spec.host}')
Reverse Words Release: NotSet. App version: v0.0.25

参考

https://linuxera.org/oauth-proxy-secure-applications-openshift/

相关推荐
未来之窗软件服务9 分钟前
sql速度优化多条合并为一条语句
数据库
山东布谷科技官方12 分钟前
布谷直播源码部署服务器关于数据库配置的详细说明
运维·服务器·数据库·直播系统源码·直播源码·直播系统搭建·直播软件开发
易云码32 分钟前
信息安全建设方案,网络安全等保测评方案,等保技术解决方案,等保总体实施方案(Word原件)
数据库·物联网·安全·web安全·低代码
newxtc37 分钟前
【客观理性深入讨论国产中间件及数据库-科创基础软件】
数据库·中间件·国产数据库·国产中间件·科创
水月梦镜花40 分钟前
redis:list列表命令和内部编码
数据库·redis·list
MonkeyKing_sunyuhua1 小时前
ubuntu22.04 docker-compose安装postgresql数据库
数据库·docker·postgresql
天郁青1 小时前
数据库交互的本地项目:后台管理系统
数据库·交互
马剑威(威哥爱编程)2 小时前
MongoDB面试专题33道解析
数据库·mongodb·面试
小光学长2 小时前
基于vue框架的的流浪宠物救助系统25128(程序+源码+数据库+调试部署+开发环境)系统界面在最后面。
数据库·vue.js·宠物
零炻大礼包3 小时前
【SQL server】数据库远程连接配置
数据库