On the OpenShift platform, both roles and cluster roles can be assigned to users and / or groups. However, assigning these roles quickly becomes unfeasible in an environment with many users.
Therefore, it is necessary to synchronize the active directory (AD) groups with the Openshift 4.x platform to simplify the process.
When an AD sync is performed, groups are created in OpenShift with the same data as group users in AD and Lightweight Directory Access Protocol (LDAP).
There are two ways to perform synchronization: manually or automated.
When performing the synchronization manually, the administrator can use the following command:
$ oc adm groups sync --whitelist=<whitelist_file> --sync-config=config.yaml --confirm
To use automated synchronization, a bridge machine is often used, relying on the SO's own CronJobs. However, in this blog, I will demonstrate how to configure an automated sync using the platform itself without a bridge machine.
In the following code, several resources need to be created and several features need to be configured, including:
- Service Account
- Cluster Role
- Cluster Role Binding
- Sync Config Map
- Whitelist Config Map of the groups
- CronJob
NOTE: I am using the openshift-authentication namespace to facilitate administration. However, resources can be created in their own namespace.
Service Account
It is necessary to create a service account that CronJob will use for actions to create groups on the platform:
kind: ServiceAccount
apiVersion: v1
metadata:
name: ldap-group-syncer
namespace: openshift-authentication
labels:
app: cronjob-ldap-group-sync
Cluster Role
To avoid unnecessary permissions such as a cluster-admin role on the new service account, a new cluster-role with the appropriate permissions needs to be created:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ldap-group-syncer
labels:
app: cronjob-ldap-group-sync
rules:
- apiGroups:
- ''
- user.openshift.io
resources:
- groups
verbs:
- get
- list
- create
- update
Cluster Role Binding
After creating the Cluster Role, we have to link the Service Account with the Cluster Role that was created:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ldap-group-syncer
labels:
app: cronjob-ldap-group-sync
subjects:
- kind: ServiceAccount
name: ldap-group-syncer
namespace: openshift-authentication
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ldap-group-syncer
ConfigMap Sync and Whitelist
For the configuration of the sync file, we will be using the OpenShift platform's config map feature to store all the sync configuration content. These configuration artifacts are separated from the image content to keep the applications in portable containers.
We will have two config maps: syncing groups file using the RFC2307 schema with user-defined name mappings and a Whitelist file for synchronizing specific groups:
kind: ConfigMap
apiVersion: v1
metadata:
name: ldap-group-syncer
namespace: openshift-authentication
labels:
app: cronjob-ldap-group-sync
data:
ldap-group-sync.yaml: |
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://ad.example.com:389
bindDN: CN=user-ocp,OU=Users,DC=ad,DC=example,DC=com
bindPassword:
file: "/etc/secrets/bindPassword"
insecure: true
rfc2307:
groupsQuery:
baseDN: "DC=ad,DC=example,DC=com"
scope: sub
derefAliases: never
filter: (objectclass=group)
groupUIDAttribute: dn
groupNameAttributes: [ cn ]
groupMembershipAttributes: [ member ]
usersQuery:
baseDN: "DC=ad,DC=example,DC=com"
scope: sub
derefAliases: never
pageSize: 0
userUIDAttribute: dn
userNameAttributes: [ sAMAccountName ]
tolerateMemberNotFoundErrors: true
tolerateMemberOutOfScopeErrors: true
kind: ConfigMap
apiVersion: v1
metadata:
name: ldap-group-syncer-whitelist
namespace: openshift-authentication
labels:
app: cronjob-ldap-group-sync
data:
whitelist.txt: |
CN=Cluster-Admins,CN=users,DC=ad,DC=example,DC=com
CN=Developers,CN=users,DC=ad,DC=example,DC=com
CronJob
Finally, we can set up the CronJob configuration that will perform the groups' synchronism.
Before creating CronJob, it is necessary to gather the name of the secret that contains the login password of the user who searches for the information in AD/LDAP in the CronJob. This secret is created automatically when the Identity Provider LDAP is created. It is stored in the openshift-authentication namespace.
Note: This secret is generated automatically when the LDAP Identity provider is created.
Below is the command to search for the name of the secret:
$ oc get secret -n openshift-authentication | grep v4-0-config-user-idp
v4-0-config-user-idp-0-bind-password Opaque 1 16m
After obtaining the correct name of the secret, a CronJob must be created according to the example below:
kind: CronJob
apiVersion: batch/v1beta1
metadata:
name: ldap-group-syncer
namespace: openshift-authentication
labels:
app: cronjob-ldap-group-sync
spec:
schedule: "*/1 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 5
failedJobsHistoryLimit: 5
jobTemplate:
metadata:
labels:
app: cronjob-ldap-group-sync
spec:
backoffLimit: 0
template:
metadata:
labels:
app: cronjob-ldap-group-sync
spec:
containers:
- name: ldap-group-sync
image: "registry.redhat.io/openshift4/ose-cli:v4.7"
command:
- "/bin/bash"
- "-c"
- oc adm groups sync --whitelist=/etc/whitelist/whitelist.txt --sync-config=/etc/config/ldap-group-sync.yaml --confirm
volumeMounts:
- mountPath: "/etc/config"
name: "ldap-sync-volume"
- mountPath: "/etc/whitelist"
name: "ldap-sync-volume-whitelist"
- mountPath: "/etc/secrets"
name: "ldap-bind-password"
volumes:
- name: "ldap-sync-volume"
configMap:
name: "ldap-group-syncer"
- name: "ldap-sync-volume-whitelist"
configMap:
name: "ldap-group-syncer-whitelist"
- name: "ldap-bind-password"
secret:
secretName: "v4-0-config-user-idp-0-bind-password"
restartPolicy: "Never"
terminationGracePeriodSeconds: 30
activeDeadlineSeconds: 500
dnsPolicy: "ClusterFirst"
serviceAccountName: "ldap-group-syncer"
serviceAccount: "ldap-group-syncer"
In the code above, there are some adjustments that must be made in each deployment:
- AD/LDAP URL
- User bindDN to connect to AD/LDAP
- baseDN to search for groups
- baseDN to search for users
- Full baseDN of Whitelist groups
- Definition of the CronJob schedule;
- OpenShift client image. (In the example I am using, the image of OpenShift Client 4.7)
- Secret Name that has the user password to communicate with AD/LDAP
Note: CronJob will hold five successful or failed runs. To change this value, you must modify the CronJob config map in the parameters:
successfulJobsHistoryLimit: 5
failedJobsHistoryLimit: 5
The administrator can create the resources separately and store all the codes above in a single file and execute the command below:
$ oc create -f ldap-syncer.yml
Note: If there is an error in the configuration, the PODs will be in error. You should check the logs for the error and adjust the synchronism config map.
PODs generated for synchronism
Jobs executed and CronJob
Authentication Operator Status
Synchronized Groups
OpenShift Container Platform creates the following group record as a result of the above sync operation:
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: CLUSTER-ADMIN
uid: 05adb646-b69a-4b54-b2a7-500f3f595d48
resourceVersion: '6440583'
creationTimestamp: '2021-04-19T00:57:04Z'
labels:
openshift.io/ldap.host: 10.36.250.190
annotations:
openshift.io/ldap.sync-time: '2021-04-19T01:21:04Z'
openshift.io/ldap.uid: >- CN=CLUSTER-ADMIN,OU=GROUPS,OU=PAAS,OU=PRATICIES,OU=CONSULTING,DC=rhbr-lab,DC=com
openshift.io/ldap.url: '10.36.250.190:389'
users:
- user1
Configuration of Roles, Cluster Roles to Groups
After the synchronized groups, simply apply the roles or roles to cluster groups using the following commands:
Cluster Role
Binds a given role to specified groups for all projects in the cluster:
$ oc adm policy add-cluster-role-to-group <role> <groupname>
Removes a given role from specified groups for all projects in the cluster:
$ oc adm policy remove-cluster-role-from-group <role> <groupname>
Local Role (namespaces)
Binds a given role to specified groups in the namespace:
$ oc adm policy add-role-to-group <role> <groupname> -n <namespace>
Removes a given role from specified groups in the namespace:
$ oc adm policy remove-role-from-group <role> <groupname> -n <namespace>
Final Thoughts
So you can see how easy it is to create and manage groups in OpenShift using sync with AD/LDAP. The intention of this blog post was to demonstrate that this is possible and how easy it can be using the platform itself.
저자 소개
유사한 검색 결과
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.