Skip to content

Instantly share code, notes, and snippets.

@spiarh

spiarh/ldap-externalauth.md

Last active November 5, 2019 14:29
Show Gist options
  • Save spiarh/2bd33c24adafda720c776a24d4375da9 to your computer and use it in GitHub Desktop.
Save spiarh/2bd33c24adafda720c776a24d4375da9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ldap-externalauth.md

EXTERNAL AUTH

In both directories, 'user-regular1' and 'user-regular2' are member of the 'k8s-users' group, 'user-admin' is member of 'k8s-admins' group.

For Active Direcoty, 'user-bind' is a simple user which is member of the default 'Domain Users' group in Active Directory. Hence, we can use it to authenticate because has read-only access to Active Directory.

The mail attribute is used to create the RBAC rules.

1. LDAP ACTIVE DIRECTORY

CONTENT

# user-regular1, Users, example.com
dn: CN=user-regular1,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user-regular1
sn: Regular1
givenName: User
distinguishedName: CN=user-regular1,CN=Users,DC=example,DC=com
displayName: User Regular1
memberOf: CN=Domain Users,CN=Users,DC=example,DC=com
memberOf: CN=k8s-users,CN=Groups,DC=example,DC=com
name: user-regular1
sAMAccountName: user-regular1
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
mail: user-regular1@example.com

# user-regular2, Users, example.com
dn: CN=user-regular2,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user-regular2
sn: Regular2
givenName: User
distinguishedName: CN=user-regular2,CN=Users,DC=example,DC=com
displayName: User Regular2
memberOf: CN=Domain Users,CN=Users,DC=example,DC=com
memberOf: CN=k8s-users,CN=Groups,DC=example,DC=com
name: user-regular2
sAMAccountName: user-regular2
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
mail: user-regular2@example.com

# user-bind, Users, example.com
dn: CN=user-bind,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user-bind
sn: Bind
givenName: User
distinguishedName: CN=user-bind,CN=Users,DC=example,DC=com
displayName: User Bind
memberOf: CN=Domain Users,CN=Users,DC=example,DC=com
name: user-bind
sAMAccountName: user-bind
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
mail: user-bind@example.com

# user-admin, Users, example.com
dn: CN=user-admin,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user-admin
sn:: Admin
givenName: User
distinguishedName: CN=user-admin,CN=Users,DC=example,DC=com
displayName: User Admin
memberOf: CN=Domain Users,CN=Users,DC=example,DC=com
memberOf: CN=k8s-admins,CN=Groups,DC=example,DC=com
name: user-admin
sAMAccountName: user-admin
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
mail: user-admin@example.com

# k8s-users, Groups, example.com
dn: CN=k8s-users,CN=Groups,DC=example,DC=com
objectClass: top
objectClass: group
cn: k8s-users
member: CN=user-regular1,CN=Users,DC=example,DC=com
member: CN=user-regular2,CN=Users,DC=example,DC=com
distinguishedName: CN=k8s-users,CN=Groups,DC=example,DC=com
name: k8s-users
sAMAccountName: k8s-users
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

# k8s-admins, Groups, example.com
dn: CN=k8s-admins,CN=Groups,DC=example,DC=com
objectClass: top
objectClass: group
cn: k8s-admins
member: CN=user-admin,CN=Users,DC=example,DC=com
distinguishedName: CN=k8s-admins,CN=Groups,DC=example,DC=com
name: k8s-admins
sAMAccountName: k8s-admins
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

EXTERNAL LDAP CONNECTOR with Authentication

# Server
Host: domain-controler.example.com
Port: 636
StartTLS: Off

Certificate: DC_Trust_Root.crt

# Authentication
Anonymous: False
DN: user-bind@example.com
Password: <password>

# User search
Identifying User Attribute: sAMAccountName
Base DN: CN=Users,DC=example,DC=com
Filter: (objectClass=person)

# User Attribute Map
Username: sAMAccountName
ID: distinguishedName
Email: mail
Name: sAMAccountName

# Group Search
Base DN: CN=Groups,DC=example,DC=com
Filter: (objectClass=group)

# Group Attribute Map
User: distinguishedName
Group: member
Name: sAMAccountName

2. openLDAP

CONTENT

# user-regular1, accounts, example.com
dn: CN=user-regular1,OU=accounts,DC=example,DC=com
cn: User Regular1
uidNumber: 1200
gidNumber: 500
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uid: user-regular1
mail: user-regular1@example.com
sn: Regular1
givenName: User

# user-regular2, accounts, example.com
dn: CN=user-regular2,OU=accounts,DC=example,DC=com
cn: User Regular2
uidNumber: 1300
gidNumber: 500
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uid: user-regular2
mail: user-regular2@example.com
sn: Regular2
givenName: User

# user-admin, accounts, example.com
dn: CN=user-admin,OU=accounts,DC=example,DC=com
cn: User Admin
uidNumber: 1000
gidNumber: 100
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uid: user-admin
mail: user-admin@example.com
sn: Admin
givenName: User

# k8s-users, accounts, example.com
dn: CN=k8s-users,OU=accounts,DC=example,DC=com
gidNumber: 500
objectClass: posixGroup
cn: k8s-users
memberUid: user-regular1
memberUid: user-regular2

# k8s-admins, accounts, example.com
dn: CN=k8s-admins,OU=accounts,DC=example,DC=com
gidNumber: 100
objectClass: posixGroup
cn: k8s-admins
memberUid: user-admin

EXTERNAL LDAP CONNECTOR without Authentication

# Server
Host: ldap.example.com
Port: 636
StartTLS: Off

Certificate: LDAP_Trust_Root.crt

# Authentication
Anonymous: True

# User search
Identifying User Attribute: uid
Base DN: OU=accounts,DC=example,DC=com
Filter: (objectClass=person)

# User Attribute Map
Username: uid
ID: uid
Email: mail
Name: uid

# Group Search
Base DN: OU=accounts,DC=example,DC=com
Filter: (objectClass=posixGroup)

# Group Attribute Map
User: uid
Group: memberUid
Name: cn

3. KUBERNETES MANIFEST

---
apiVersion: v1
kind: Namespace
metadata:
  name: user-regular1
---
apiVersion: v1
kind: Namespace
metadata:
  name: user-regular2
---
apiVersion: v1
kind: Namespace
metadata:
  name: shared
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: user-regular1-ns-admin
  namespace: user-regular1
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: user-regular1@example.com
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: user-regular2-ns-admin
  namespace: user-regular2
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: user-regular2@example.com
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: shared-ns-user
  namespace: shared
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: k8s-users
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k8s-cluster-admin
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: k8s-admins

EXTRA: Example ResourceQuota for the shared Namespace:

---
apiVersion: v1
kind: ResourceQuota
metadata:
  name: shared
  namespace: shared
spec:
  hard:
    pods: "4"
    requests.cpu: "1"
    requests.memory: 1Gi
    limits.cpu: "2"
    limits.memory: 2Gi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment