Giters

ellis-wu / kube-ldap-webhook

Kubernetes LDAP authentication service written in Go.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Build Status Docker Build Statu

Kubernetes LDAP Webhook Authentication

Kubernetes LDAP authentication service written in Go. This repo is reimplement from kube-ldap-authn.

According to the project documentation we have the following schema:

# kubernetesToken.schema
attributeType ( 1.3.6.1.4.1.18171.2.1.8
        NAME 'kubernetesToken'
        DESC 'Kubernetes authentication token'
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

objectClass ( 1.3.6.1.4.1.18171.2.3
        NAME 'kubernetesAuthenticationObject'
        DESC 'Object that may authenticate to a Kubernetes cluster'
        AUXILIARY
        MUST kubernetesToken )

Quick Start

In this first, modified the ldap-auth.conf file to match our LDAP, and then upload to Kubernetes:

$ kubectl -n kube-system create secret generic ldap-auth-config --from-file=./ldap-auth.conf
secret "ldap-auth-config" created

Now create the ldap-auth-webhook daemonset:

$ kubectl create -f deploy

Finally start the API server with the following flags:

...
spec:
  containers:
  - command:
    ...
    - --runtime-config=authentication.k8s.io/v1beta1=true
    - --authentication-token-webhook-config-file=/srv/kubernetes/webhook-auth
    - --authentication-token-webhook-cache-ttl=5m
    volumeMounts:
      ...
    - mountPath: /srv/kubernetes/webhook-auth
      name: webhook-authn
      readOnly: true
  volumes:
    ...
  - hostPath:
      path: /srv/kubernetes/webhook-auth
      type: File
    name: webhook-authn

How to test

In this first, we need to run gin as below command:

$ go run main.go -config=ldap-auth.conf
...
[GIN-debug] GET    /healthz                  --> main.healthz (3 handlers)
[GIN-debug] POST   /auth                     --> main.auth (3 handlers)
[GIN-debug] Listening and serving HTTP on :8087

To test API using cURL tool:

# failed
$ curl -X POST -H 'content-type: application/json' -d '{"apiVersion": "authentication.k8s.io/v1beta1", "kind": "TokenReview", "spec": {"token": "pSex7npm80w5Y293BNl80DeyvZL"}}' http://localhost:8087/auth
{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":false}}

# success
$ curl -X POST -H 'content-type: application/json' -d '{"apiVersion": "authentication.k8s.io/v1beta1", "kind": "TokenReview", "spec": {"token": "pSex7npm80w5Y293BNl80DeyvZLy8Iz0"}}' http://localhost:8087/auth
{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":true,"user":{"groups":["kubernetes","kubernetes-admin"],"uid":"user2","username":"user2"}}}

About

Kubernetes LDAP authentication service written in Go.

Languages

Language:Go 88.0%Language:Makefile 12.0%