é©åãªAzureADçµ±åãåããRBAC察å¿ã®AKSã¯ã©ã¹ã¿ãŒããããŸãã ã³ã³ãããŒã«ãã¬ãŒã³ã§ã¯åé¡ãªãåäœããŠããŸãã ãã ããããã·ã¥ããŒãã«ã¢ã¯ã»ã¹ããã«ã¯ãã¢ã¯ã»ã¹ããŒã¯ã³az account get-access-token --query accessToken -o tsv
ãäœæãã kubectl-proxy
ãéå§ããŸãã
äºæ³ãããåäœïŒAzure ADã°ã«ãŒãã®ã¡ã³ããŒã¯ãããŒã¯ã³ã䜿çšããŠããã·ã¥ããŒãã§å®å šãªã¢ã¯ã»ã¹èš±å¯ãååŸã§ããå¿ èŠããããŸãã ããã¯ä»¥åã¯æ£åžžã«æ©èœããŠããŸããïŒã¯ã©ã¹ã¿ãŒã¯ã»ãŒ1ãæåã®ãã®ã§ããïŒã ããã§ãæ°ããã¯ã©ã¹ã¿ãŒãã§ããŸããã
å®éã®åäœïŒããã·ã¥ããŒãã¯ãã¯ã©ã¹ã¿ãŒç®¡çè ãžã®ã¢ã¯ã»ã¹ãçŠæ¢ããŠããŸãã
å®éãã¯ã©ã¹ã¿ãŒã§é©åãªAzure ADçµ±åã䜿çšããŠRBACãæå¹ã«ãªã£ãŠããå Žåã kubernetes-dashboard
ãµãŒãã¹ã¢ã«ãŠã³ããžã®cluster-admin
ã¢ã¯ã»ã¹ãèš±å¯ãããšããã®å®å
šæ§ãäœäžããããšãç¥ãããã§ããïŒ ãŸãã¯ãããã·ã¥ããŒãURLã䜿çšãããšã誰ã§ãã¯ã©ã¹ã¿ãŒã«ã¢ã¯ã»ã¹ã§ããããšãããã¥ã¡ã³ãããç解ããŠããŸãã
æ確å
kubernetes-dashboard
ãµãŒãã¹ã¢ã«ãŠã³ããcluster-admin
ã«ææ Œãããšãããã·ã¥ããŒããæ©èœããŸãïŒããã¯éåžžã«æçœã§ãããæ瀺çã«ããŠããŸãïŒâ ãã®ã»ã¯ã·ã§ã³ã¯ç·šéããªãã§ãã ããã
@Sudharmaã¯ãç§ãã¡ãããããæ¯æŽã§ããããã«ãããªããåç §ããŠããããã¥ã¡ã³ããå ±æã§ããŸããïŒ
ããã§ããïŒ
@ MicahMcKittrick-MSFTç§ã¯ãããéãæããŠãããæ£åžžã«åäœããŠããŸãã ç§ã¯ãããåç
§ããŠããŸã
https://docs.microsoft.com/en-us/azure/aks/kubernetes-dashboard#for -rbac-enabled-clusters
ããã·ã¥ããŒãçšã®RBACã䜿çšããŠæ£ç¢ºã«ã
You can also integrate Azure Active Directory authentication to provide a more granular level of access.
ãããè¡ãæ¹æ³ã«ãã£ãšèå³ããããŸãã
@Sudharmaããããšã
@iainfoulds @seanmckã©ã¡ããããã®è³ªåã«ã€ããŠããã«ã³ã¡ã³ãã§ããŸããïŒ
@Sudharmaãããé ããŠãã¿ãŸããã ãããåçŸããããšããŠããŸãããå éšãµãã¹ã¯ãªãã·ã§ã³ã䜿çšããŠRBACã¯ã©ã¹ã¿ãŒãã»ããã¢ããããéã«åé¡ãçºçããŸããã ç§ãã¡ã¯çèŠãŠããŠãå¯èœãªéãããã«æŽæ°ããŸã
@iainfouldsã¯ãè©«ã³ããŸããããããæ£ç¢ºã«ãã¹ãããããã®ç°å¢èšå®ãååŸã§ããŸããã§ããã äœããã®çç±ã§ãRBAC察å¿ã¯ã©ã¹ã¿ãŒãå人ãµãã¹ã¯ãªãã·ã§ã³ã§ãæ£ããããããžã§ãã³ã°ãããŠããŸããã ç§ã¯ãããäœæ¥ãéããªããŸãŸè©ŠããŠããŸããã ãããåçŸããŠã¿ãŸãããïŒ éãæªãã ãã§ãã
CC @ Karishma-Tiwari-MSFT @ jakaruna-åçŸãè©Šãããšãã§ããå Žåã¯MSFT
@Sudharmaãããé ããŠãã¿ãŸããã ãããåçŸããããšããŠããŸãããå éšãµãã¹ã¯ãªãã·ã§ã³ã䜿çšããŠRBACã¯ã©ã¹ã¿ãŒãã»ããã¢ããããéã«åé¡ãçºçããŸããã ç§ãã¡ã¯çèŠãŠããŠãå¯èœãªéãããã«æŽæ°ããŸã
åé¡ãªãã ããããç§ã¯ãã®è§£æ±ºçã«ç±å¿ãªã®ã§ãç§ãææ°ã®ç¶æ ã«ä¿ã£ãŠãã ãã
ããã¯ç§ã«ãåãåé¡ã§ãã ããã·ã¥ããŒãã®ãã°ã€ã³ããã³ãããããã°ã€ã³ç»é¢ããçºè¡ãããããŒã¯ã³ãæž¡ããªãããã§ãã ããã§ãããµãŒãã¹ã¢ã«ãŠã³ããä»ããŠããã·ã¥ããŒãæ¥ç¶èŠæ±ãåŠçããŸãã
ãŸãããµãŒãã¹ã¢ã«ãŠã³ããäœæããç¹æš©ææ Œã®ãããããã·ã¥ããŒãã«ãµãŒãã¹ã¢ã«ãŠã³ããžã®ã¢ã¯ã»ã¹ãèš±å¯ããŠããŸããã
ã€ãŸãããããã·ãä»ããããã·ã¥ããŒãã¢ã¯ã»ã¹ã¯ããµãŒãã¹ã¢ã«ãŠã³ãã§ã¯é©åã«æ©èœããŸãããOpenIDæ¥ç¶ã¢ã«ãŠã³ãããŒã¯ã³ã§ã¯æ©èœããŸããã
ãã®åé¡ã¯ç§ãã¡ã«ãšã£ãŠãåé¡ã®ãŸãŸã§ãã ãããç§ã®+1ã§ã
ããã§ã+1ã
ããã«ã¡ã¯ããŒã ã
åäœæ¹æ³ãšãã€ãã£ãKubernetesãšã³ãžã³ãšã®éãã«ã€ããŠè©³ããæããŠããã ããŸããã åãããšããµããŒãã§ãããã©ããçåã«æã£ãŠããŸãã ãŸãããããã·ãµãŒãã¹ãä»ããŠAzureADã䜿çšããããã«ããã·ã¥ããŒããæ§æã§ãããã©ããçåã«æã£ãŠããŸããïŒ
誰ããããã«é¢ããæŽæ°ãæã£ãŠããŸããïŒ ãkubectlproxyããå®è¡ããåŸãããŒã¯ã³ããã«ãããkubeèšå®ãã¡ã€ã«ã䜿çšãããšã¢ã¯ã»ã¹ã§ããŸãããaz aks browserãå®è¡ãããšãããã€ã¹ã³ãŒãã䜿çšããŠWebçµç±ã§ãã°ã€ã³ããããã«æ±ããããŸãïŒãã§ã«azãã°ã€ã³ãå®è¡ããŠããŸãïŒ ãã³ãŒããå ¥åãããšãã³ãã³ãè¡ãOauthããŒã¯ã³ïŒäžæãªãšã©ãŒãã§ãšã©ãŒãçºçããŸãã Rbacã䜿çšããŠã¯ã©ã¹ã¿ãŒãã»ããã¢ããããŸããïŒã¯ã©ã€ã¢ã³ããšãµãŒããŒã¢ããªã®ç»é²ã䜿çšããïŒhttps://docs.microsoft.com/en-us/azure/aks/aad-integrationïŒã«åŸã£ãŠã¢ã¯ã»ã¹èš±å¯ãèšå®ããŸããã
ããããããªãã®ã¯ãã¯ã©ã€ã¢ã³ãããµãŒããŒããµãŒãã¹ããªã³ã·ãã«ã®ã¢ããªç»é²ã䜿çšãããããåèš3ã€ã®ã¢ããªç»é²ã䜿çšããããšã ãã§ãã ãã©ãã©ãŒã ãä»ããŠããããžã§ãã³ã°ãããŸããã ã¬ã€ãããã¥ã¡ã³ãã«ã¯ãã¯ã©ã€ã¢ã³ãã¢ããªãšãµãŒããŒã¢ããªã®ç»é²ã®æš©éã«ã€ããŠã®ã¿èšèŒãããŠããŸãã
誰ããå©ããŠãããããšãé¡ã£ãŠããŸã
ãŸã åãåé¡ã«çŽé¢ããŠããŸãã ADã¢ã«ãŠã³ãã䜿çšããŠããã·ã¥ããŒããAPIããŸãã¯kubectlã«ã¢ã¯ã»ã¹ã§ããŸãã
以äžã®ã³ãã³ãã¯æ©èœããŸããããã«ãããk8s管çè
ã®èªèšŒæ
å ±ã/home/user/.kube/configã«äœæãããŸãã
az aks get-credentials --resource-group xxx-dev-test01 --name xxxk8sdev --admin
ADãŠãŒã¶ãŒãŸãã¯ã°ã«ãŒããšã®ã¯ã©ã¹ã¿ãŒããŒã«ãã€ã³ãã£ã³ã°ãè¿œå ããåŸãéåžžããŠãŒã¶ãŒã¯ä»¥äžã§ãã°ã€ã³ã§ããŸãaz aks get-credentials --resource-group xxx-dev-test01 --name xxxk8sdev
ããã«ãããããã€ã¹ããŒã¯ã³ã®å
¥åãæ±ãããããŠãŒã¶ãŒã¯ãã°ã€ã³ã§ããŸãã ãããä»ãããã¯äžè²«ããŠå€±æããŸãã
KubectlãŸãã¯ããã·ã¥ããŒãã«ã¯ãã¯ã©ã¹ã¿ãŒç®¡çè
ããã®ã¿ã¢ã¯ã»ã¹ã§ããŸãã ãã¡ããããã¹ãŠã®ãŠãŒã¶ãŒã«ã¯ã©ã¹ã¿ãŒç®¡çè
ã®è³æ Œæ
å ±ãäžããããšã¯ã§ããŸããã
ç³ãèš³ãããŸããããããã§åé¡ãçºçããŠããŸãã
ãšã³ãžãã¢ãªã³ã°ããŒã ã¯åé¡ãç¹å®ããããã解決ããããã«åãçµãã§ããŸãã ããã¯ãAKSã®ç¹å®ã®åäœã§ã¯ãªããæ ¹æ¬çãªKubernetesããã·ã¥ããŒãã®å€æŽã®ããã§ãã @ palma21ã¯ã解決ã®ããã®ã¿ã€ã ã©ã€ã³ã«é¢ããè¿œå ã®ã³ã³ããã¹ããæäŸã§ããŸãã
@spbreedã®åé¡ã¯ãkubectlãããã¢ã¯ã»ã¹ã§ããªããšè¿°ã¹ãŠãããããç°ãªãããã§ãïŒã·ãŒã¯ã¬ããã®æå¹æéãåããŠããªããã©ããã確èªãããµããŒããã±ãããéããŠãã¯ã©ã¹ã¿ãŒãšãã«ãã確èªã§ããããã«ããŠãã ããïŒã
ããã·ã¥ããŒãã ãã«åé¡ãããæ®ãã®éšåã«ã€ããŠã¯ãããã·ã¥ããŒãã®æ°ããããŒãžã§ã³ã«ã¯httpsãŸãã¯å®å šã§ãªããã°ã€ã³ãã©ã°ãå¿ èŠã§ããããã§ãªãå ŽåããµãŒãã¹ã¢ã«ãŠã³ããã°ã€ã³ã«åé¡ãããŸãã
ããã匷å¶ããã«ã¯ãããã·ã¥ããŒãã®å±éãç·šéã§ããŸã
äŸãã°ã
kubectl edit deploy -n kube-system kubernetes-dashboard
ãããŠãã³ã³ããã®ä»æ§ã«è¿œå ããŸãã
containers:
- args:
- --authentication-mode=token
- --enable-insecure-login
ä»åŸã¯ãããŒã¯ã³èªèšŒãå®æœããããŒã9090ã8443ã«å€æŽããã¹ããŒã ãHTTPSã«å€æŽããèªå·±çœ²å蚌ææžã䜿çšããŸãã ããã¯ãŸããªãçºè¡šããããªãªãŒã¹ããŒãã§çºè¡šãããŸãã
https://github.com/Azure/aks/releases
åãåé¡ã«çŽé¢ããŠããŸãã ADã¢ã«ãŠã³ãã䜿çšããŠããã·ã¥ããŒããAPIããŸãã¯kubectlã«ã¢ã¯ã»ã¹ã§ããŸããã
ç§ã®ééãïŒADã¢ã«ãŠã³ãã䜿çšããŠK8Sããã·ã¥ããŒãã«ã¢ã¯ã»ã¹ã§ããŸããã
ããã·ã¥ããŒãã«ã¢ã¯ã»ã¹ããããã«ã©ã®ãããªããã»ã¹ã«åŸã£ãŠããŸããïŒ äžèšã®ç§ã®ã³ã¡ã³ããè©ŠããŸãããïŒ
https://github.com/MicrosoftDocs/azure-docs/issues/23789#issuecomment -485010803
@ palma21ç§ã¯ããªãã®ææ¡ãè©ŠããŸããããããã·ã¥ããŒãã«ãã°ã€ã³ãããšãã«ãšã©ãŒã®ãªã¹ãã§åãåé¡ãçºçããŸãã
configmapsã¯çŠæ¢ãããŠããŸãïŒãŠãŒã¶ãŒãclusterAdminãã¯åå空éãdefaultãã«configmapsããªã¹ãã§ããŸãã
ãµãŒãã¹ã¢ã«ãŠã³ããkubernetes-dashboardãã®ããŒã«ãã€ã³ãã£ã³ã°ããããŸããã ã¯ã©ã¹ã¿ãŒç®¡çè ã¢ã«ãŠã³ãããŒã¯ã³ãè©ŠããŠã¿ãŸããã ã¯ã©ã¹ã¿ç®¡çè ã§ãããé©åãªRBACãèšå®ãããŠããã«ãããããããAADã¢ã«ãŠã³ãã§ãã°ã€ã³ããŸã£ããæ©èœãããããªãããã§ãã以äžã®ã³ãã³ãã§çæãããããŒã¯ã³ã¯ããã¢ã©ããŒã¯ã³ãã°ã€ã³ã«æå¹ã§ããïŒ
ãããã®è©³çŽ°ã®ã¹ããããïŒ
ã³ã³ããïŒ
ã¡ã€ã³ïŒ
ã³ã³ããIDïŒ dockerïŒ// 610c6b258cde01196c03c918c3acca6c3c6ba531153ad1b7e0f034e032065319
ç»åïŒk8s.gcr.io/kubernetes-dashboard-amd64ïŒv1.10.1
ã€ã¡ãŒãžIDïŒdocker- pullableïŒ//k8s.gcr.io/kubernetes-dashboard-amd64@sha256 ïŒ0ae6b69432e78069c5ce2bcde0fe409c5c4d6f0f4d9cd50a17974fea38898747
ããŒãïŒ9090 / TCP
ãã¹ãããŒãïŒ0 / TCP
ArgsïŒ
--authentication-mode = token
--enable-insecure-login
ç¶æ
ïŒå®è¡äž
éå§æ¥ïŒ2019幎4æ25æ¥æšææ¥12:04:43 +0100
ãã®ã¡ãã»ãŒãžã¯ãclusterAdminããŒã«ã«ãã®åå空éã®æ§æããããäžèŠ§è¡šç€ºããæš©éããªãããšã瀺ããŠããŸãã ããããŠãŒã¶ãŒã®åœ¹å²ã«è¿œå ããŠãããã解決ãããã©ããã確èªããŠã¿ãŠãã ããã
ãã以å€ã®å Žåã¯ãClusterAdminããŒã«yamlãšããã·ã¥ããŒããããã€ã¡ã³ãyamlãéä¿¡ããŠãã ããã確èªã§ããŸãã
ïŒããã©ã«ãã®ããã·ã¥ããŒãã§ã¯ãªãïŒãµãŒãã¹ã¢ã«ãŠã³ãã§åè©Šè¡ãããšãããæ©èœããŠããããã§ããããã¯ãã°ãããããšã§ãã ãã ããcluster-adminããŒã«ãã€ã³ãã£ã³ã°ãæã€AADãŠãŒã¶ãŒã®ããŒã¯ã³ã䜿çšãããšããã°ã€ã³ã«å€±æããŸãã æ£ããRBACã§AADã䜿çšãããšãããŒã¯ã³ã䜿çšããŠããã·ã¥ããŒãã«ãã°ã€ã³ããRBACãã€ã³ãã£ã³ã°ã§å®çŸ©ãããŠããããã·ã¥ããŒãã®ç¹æš©ã¬ãã«ãåãåãããšãã§ããŸããïŒ
ã¯ãããããã¹ãã§ãã k8sããã·ã¥ããŒããžã®ããŒã¯ã³ãååŸããŠãããŠãŒã¶ãŒã®ããã©ã«ãNSã«èšå®ããããäžèŠ§è¡šç€ºã§ããŸããïŒ ãŠãŒã¶ãŒã§ãã®ã¢ã¯ã·ã§ã³ãå®è¡ã§ããå Žåã¯ããããæåŸ ãããŸããããã§ãªãå Žåã¯ãããã·ã¥ããŒãã«æž¡ãããŒã¯ã³ã確èªããŠãã ããã
解決ãããããã«èŠãããã®ã¹ã¬ããã®ã¹ãã ãåé¿ããã«ã¯ãjpalma [at] microsoft.comã«ã¡ãŒã«ãéã£ãŠãã ããã
ããã匷å¶ããã«ã¯ãããã·ã¥ããŒãã®å±éãç·šéã§ããŸã
äŸãã°ã
kubectl edit deploy -n kube-system kubernetes-dashboard
ãããŠãã³ã³ããã®ä»æ§ã«è¿œå ããŸãã
containers: - args: - --authentication-mode=token - --enable-insecure-login
ä»åŸã¯ãããŒã¯ã³èªèšŒãå®æœããããŒã9090ã8443ã«å€æŽããã¹ããŒã ãHTTPSã«å€æŽããèªå·±çœ²å蚌ææžã䜿çšããŸãã ããã¯ãŸããªãçºè¡šããããªãªãŒã¹ããŒãã§çºè¡šãããŸãã
https://github.com/Azure/aks/releases
çããã¯ã¿ã€ã ã©ã€ã³ãçŽæããŸãããçŸæç¹ã§ã¯è§£æ±ºçã¯ãªãããã®å®å šã§ãªããœãªã¥ãŒã·ã§ã³ã®äœ¿çšã«æ»ããŸãã ãã®åé¡ã¯é·ãééãããŠããŸããããåæã«ä»ã®åå è ãããŸãã æ¬åœã®ã¿ã€ã ã©ã€ã³ãæããŠããã ããŸããïŒ
@iainfouldså®éã«ã¿ã€ã ãªãŒã³ãæäŸããŠããã ããŸãããïŒ
åŒçšïŒ
@ palma21ã¯ã解決ã®ããã®ã¿ã€ã ã©ã€ã³ã«é¢ããè¿œå ã®ã³ã³ããã¹ããæäŸã§ããŸãã
@ palma21çŸæç¹ã§ã¯ã解決çã¯çæ³ããã»ã©é ãã§ããäœããã®çç±ã§ã³ãŒãè¡ãæ©èœããŸããã
ãšã©ãŒïŒãããã€ãkubernetes-dashboardããç¡å¹ã§ã
ä»åŸã¯ãããŒã¯ã³èªèšŒãå®æœããããŒã9090ã8443ã«å€æŽããã¹ããŒã ãHTTPSã«å€æŽããŸãã
ãã€ïŒïŒïŒ
ãããã€ã¡ã³ããããã§ã¹ããç¡å¹ãªå Žåã¯ãæ§æãŸãã¯ã€ã³ãã³ãã®åé¡ã§ããå¯èœæ§ããããŸãã ç§ã¯ãããããäžåºŠãããŸããããããŠããã¯åããŸãã
ã€ã³ã©ã€ã³ã§ãè©Šããã ããargs: ["--authentication-mode=token", "--enable-insecure-login"]
ãã®å€æŽã¯ã6ææ«é ã«è¡ãå¿ èŠããããŸãã
ããã¯ç§ã@ palma21ããŒãã«åºã¥ããŠè¡ã£ãããšã§ãïŒ
aks-dashboard.sh
# As a workaround accessing the dashboard using a token without enforcing https secure communication (tunnel is exposed ver http), you can edit the dashboard deployment with adding the following argument
# It is an issue currently being discussed here https://github.com/MicrosoftDocs/azure-docs/issues/23789
# args: ["--authentication-mode=token", "--enable-insecure-login"] under spec: containers
# spec:
# containers:
# - name: *****
# image: *****
# args: ["--authentication-mode=token", "--enable-insecure-login"]
kubectl edit deploy -n kube-system kubernetes-dashboard
# Get AAD token for the signed in user (given that user has the approperiate access). Use (az login) if you are not signed in
SIGNED_USER_TOKEN=$(az account get-access-token --query accessToken -o tsv)
echo $SIGNED_USER_TOKEN
# establish a tunnel and login via token above
# If AAD enabled, you should see the AAD sign in experience with a link and a code to https://microsoft.com/devicelogin
az aks browse --resource-group $RG --name $CLUSTER_NAME
# You can also use kubectl proxy to establish the tunnel as well
# kubectl proxy
# Then you can navigate to sign in is located http://localhost:8001/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy/#!/login
# Note: you can also use the same process but with generated kubeconfig file for a Service Account that is bound to a specific namespace to login to the dashboad.
ç§ã¯ãããè©ŠããŸããïŒ
kubectl edit deploy -n kube-system kubernetes-dashboard
2019-09-12ã®æç¹ã§å±éãããŠããææ°ã®AKSã䜿çšããŸãã
ã¡ã¢åž³ãéããŠyamlãã¡ã€ã«ãå
¥åããŸããããä¿åããŠéãããšãšã©ãŒãçºçããŸããïŒ
error: deployments.extensions "kubernetes-dashboard" is invalid
error: Edit cancelled, no valid changes were saved.
äœãæ¡ã¯ïŒ
ããã¯ããªã倧ããªãã°ã®ããã§ãã ç§ãç解ããŠããããã«ãAADãã°ã€ã³ã䜿çšããŠKubernetesããã·ã¥ããŒãã«ã¢ã¯ã»ã¹ããããšã¯ã§ããŸããã
ããã«æªãããšã«ã次ã®ããšãã§ããããšãæå³ãããããããã¥ã¡ã³ããééã£ãŠããŸãã
Kubernetesããã·ã¥ããŒãã®èªèšŒãèšå®ãããšãã¯ãããã©ã«ãã®ããã·ã¥ããŒããµãŒãã¹ã¢ã«ãŠã³ãã§ã¯ãªãããŒã¯ã³ã䜿çšããããšããå§ãããŸãã ããŒã¯ã³ã䜿çšãããšãåãŠãŒã¶ãŒã¯ç¬èªã®æš©éã䜿çšã§ããŸãã ããã©ã«ãã®ããã·ã¥ããŒããµãŒãã¹ã¢ã«ãŠã³ãã䜿çšãããšããŠãŒã¶ãŒã¯èªåã®æš©éããã€ãã¹ããŠã代ããã«ãµãŒãã¹ã¢ã«ãŠã³ãã䜿çšã§ããå ŽåããããŸãã
ãã®ã¹ã¬ãããèªãã§ãããã¯å£ããŠããŸãã ãã®ãã°ãä¿®æ£ããããšã¯ã§ããŸããããŸãã¯å°ãªããšããããçŸåšäžå¯èœã§ããããšãæ確ã«ããããã«ããã¥ã¡ã³ããæŽæ°ããããšã¯ã§ããŸããïŒ
ãã®ãã±ããã¯1æ30æ¥ã«æåã«çºè¡ãããŸãããããã¯ããã®ãã°ãå ¬éããããŸã§ã«é·ãæéã§ãã
ãã®å€æŽã¯ã6ææ«é ã«è¡ãå¿ èŠããããŸãã
@ palma21 6æãéããŸãããããã®ä¿®æ£ãå±éããããã®ETAã¯ãããŸããïŒ
æ°ããããã¥ã¡ã³ãïŒäžèšã§æ°ä»ããïŒãå«ããŠããŒã«ã¢ãŠãããŸããããæ°ãããã©ãŠã¶ãŒã®åäœãšãã°ã®ããã«ããŒã«ããã¯ããå¿ èŠããããŸããã
çŸåšãä»ææ«ãŸã§ã«ä¿®æ£ããããã®ä¿®æ£ã«åãçµãã§ããŸãã
åœé¢ã®éããã®æ©èœãæå¹ã«ããããã®åé¿çããããŸãã
ã§å±éãç·šéãã
argsïŒ["-authentication-mode = token"ã "--enable-insecure-login"]
äžèšã®ãšã©ãŒã¯æ§æãŸãã¯ãšãã£ã¿ãŒã®åé¡ã®ããã§ããåãã¹ããããšããããŸã æ©èœããŠããŸãã
ãã®ãã°ã«é¢ããæŽæ°ã¯ãããŸããïŒ
åãåé¡ã«çŽé¢ããŠããããšãããä¿®æ£ãããETAã«é¢ããæŽæ°ã¯ãããŸããïŒ
ããããããã®ãããªãã°ãããããšãèŠã€ããããã«ãAKSã䜿çšããŠãã«ã¹ã¿ãã¯ãœãªã¥ãŒã·ã§ã³ãå±éããã®ã«æ°ãæãè²»ãããŠããMicrosoft補åã«è³ããã®ã¯æ¬åœã«æ®å¿µã§ãã
ãã®åé¡ãã¹ãã ãšããŠã-ããã¯ãã€ã¯ããœãã1 @äžã§ãç§ã®éçšè ã®ãµããŒãã¹ã¿ãããäœãç§ã«èšã£ããã®ã ãšèŠãŠã
SSLããªãã«ããå¿ èŠããªããœãªã¥ãŒã·ã§ã³ãéåžžã«å¿ èŠã§ãã
1ïŒ_ãµããŒããšã¹ã«ã¬ãŒã·ã§ã³ãšã³ãžãã¢_ããå人çãã€çŽæ¥ã«æ瀺ãåããŸãããã«ã¹ã¿ããŒãµãŒãã¹ãšãµããŒã/ MicrosoftAzureãã¯ãã«ã«ãµããŒã/ Azureã³ã³ããããŒã -EMEA-
ããã®éææ§ãšMSããã®çŽ æŽãããã³ãã¥ãã±ãŒã·ã§ã³ã倧奜ãã§ãã ð€Šââ
@ palma21ãã®åé¡ã«é¢ããææ°æ å ±ãããã°ãå ±æããŠããã ããŸããïŒ ããããšã:)
ããã«é¢ããææ°æ å ±ãå ¥æãããšããã§ããã
ããã«å¯Ÿããä¿®æ£ã¯ãããŸããããããšãRBAC察å¿ã®AKSã¯ã©ã¹ã¿ãŒããã³ãã¯ããã¯ã®ã¿ãå®è¡ããå¿ èŠããããŸããïŒ
ãã®åé¡ã解決ããããã«è¿œè·¡ã§ããããã¯ãã°ã¢ã€ãã åã¯äœã§ããïŒ
ç§ãä»äºãéããŠãã€ã¯ããœããã®å°é家ãšè©±ãããå人ãšããŠå ±æã§ããææ°ã®ãã¥ãŒã¹ã¯ãããã·ã¥ããŒããã©ã°ã€ã³ãæ¬è³ªçã«å®å šã§ã¯ãªããšããããšã§ãïŒååã®ãªããã€ã¯ããœããã¢ãŒããã¯ãK8sã¢ããã€ã¶ãŒãšãã¹ããŒããã-ããã¯ã¿ã€ãã«ã§ã¯ãªãããã®ã¿ã€ãã«ã®èª¬æã§ãïŒäœ¿çšããªãã§ãã ããã
ç§ã¯ãã®å£°æã«åæããŸãããã®åã質åãããå°æ¥ã®ãã¹ãŠã®äººã«ãK8sã§èªã¿éã/èœåãæ§ç¯ããŠããã®ãããªãã©ã°ã€ã³ãããããã»ãã¥ãªãã£ãªã¹ã¯/æžå¿µãç解ããŠããããããšæããŸãã
ïŒå®å šã«æ©èœããCLIããŒã«ã䜿çšããã®ã§ã¯ãªãããããšãã€ã€ã«ãåããWeb UIã䜿çšããã ãã§ã kustomizeãªã©ã®æšæºãšããŠK8ã«è¿œå ããããã®ãå¢ããŠã
@pierluigilenoci
ããã¯https://github.com/pusher/oauth2_proxyã§å®è¡ã§ããŸã
ããã«ã¡ã¯
ããã·ã¥ããŒãå
¥åçšã®yamlãoauth2_proxyçšã®values.yamlãããã³Azure ADã¢ããªã±ãŒã·ã§ã³ã«é©çšå¯èœãªèšå®ãå«ãå®è¡å¯èœãªäŸããªã³ã¯ãŸãã¯å
±æããŠããã ããŸããïŒ
ç§ã¯oauth2_proxyãAzureADã§åäœãããããã«æ°æ¥éè©Šã¿ãŠããŸãããããããæ§æããããã®ååãªè©³çŽ°ã説æããå®å
šã«å®è¡å¯èœãªäŸã1ã€èŠã€ããããšãã§ãããããŸããŸãªãã©ã°ãšèšå®ãè©ŠããŠã¿ããšããããŸã§ã®ãšããããåŸãããŸããã§ãããååã§ã¯ãããŸããã
æ¬åœã«ãããããã§ãïŒ
@edemenç§ã®ãã³ãïŒ
nginx.ingress.kubernetes.io/auth-url: "https://yourvalue/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://yourvalue/oauth2/start?rd=$escaped_request_uri"
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $token $upstream_http_authorization;
proxy_set_header Authorization $token;
extraArgs:
provider: "azure"
azure-tenant: "yourvalues"
whitelist-domain: "yourvalues"
cookie-domain: "yourvalues"
set-authorization-header: "true"
ingress:
enabled: true
path: /oauth2
ããã§ååã§ãã
@pierluigilenoci
è¿ä¿¡ããããšãããããŸãã
ä»æ¥ãAzure ADãšoauth2ãããã·ãæ©èœãããããšãã§ããŸããããlogin.live.comããè¿ããããšã©ãŒ400ãåå ã§ãå€ãã®èšå®ããšã©ãŒ500ã«ãªã£ãŠããŸãããšãããããŸããïŒè©³çŽ°ã¯https://github.com/oauth2-ãã芧ãã ããïŒã proxy / oauth2-proxy / issues / 458ïŒ
åºæ¬çã«ã set-authorization-header: "true"
ã䜿çšãããšãoauth2ãããã·ã䜿çšããèªèšŒãAzureã§ãŸã£ããæ©èœããªããªããŸãã çç±ãç解ããããšããŠããŸãããä»ã®ãšããäœããããŸããã
念ã®ããã helm install oauth2-proxy stable/oauth2-proxy -n oauth2-proxy --values oauth2-proxy-values.yaml
oauth2ãããã·ãã€ã³ã¹ããŒã«ããŠããŸã
æ°ã«ããªãã§ã ã©ãããDashboardv1.10.1ã¯ãç§ãã¡ãæã£ãŠããKubernetes1.16ã§ãåäœããŸããã
ããããšãããããŸãã
ããã«äœ¿çšã§ããKubernetesããã·ã¥ããŒããAKSã§åäœãããããšãã§ããŸããã§ããããäœæ¥ã«å€ãã®æéãè²»ãããŠããªãã£ãããšãèªããªããã°ãªããŸããã åäœããŠããããã«èŠãã解決çïŒæéãããã°åé¡ã衚瀺ãããŸãïŒã¯ã kubectl proxy
æšæºããã·ã¥ããŒãã䜿çšããããŒã«ã«ãŠãŒã¶ãŒkubeconfigãã¢ããããŒãããããšã§ãã
ããã¯è€æ°ã®ã¹ããããããªãããã»ã¹ã§ãããåçŽãªURLã»ã©ç°¡åã§ã¯ãããŸããããADãŠãŒã¶ãŒã®ã³ã³ããã¹ãã§å®è¡ãããŠããããã·ã¥ããŒãã䜿çšããããã®æè¯ã®æ¹æ³ã®ããã§ãã ããã·ã¥ããŒãèªäœãããŸãã«ã¹ã¿ãã€ãºããå¿ èŠããªããAzure ADã䜿çšãããããã¯ãªãŒã³ãªã¢ãããŒãã«åŒãç¶ãç®ãå ãããŠããŸãã
@edemenãã¡ãããããã¯K8s <1.15ã§ã®ã¿æ©èœããŸãã K8s 1.16ã®å Žåãæ°ããv2.0ããã·ã¥ããŒããå ¬åŒã«ãªãªãŒã¹ããããŸã§åŸ ã€å¿ èŠããããšæããŸãã
ããã·ã¥ããŒãv2ã¯https://github.com/kubernetes/dashboard/releases/tag/v2.0.0ãèµ·åããŸããã ãã ããk8s1.16ã¯éšåçã«ãµããŒããããŠããããã§ã
@SayakMukhopadhyayããŒãžã§ã³v2.0.0-rc3ãŸã§ã¯å®å šã«ãµããŒããããŠããŸããã ç§ã¯ããŒãžã§ã³1.15ãš1.16ã®ææ°ã®RCã䜿çšããããªãããŸãæ©èœããŸããã ã©ã®æäœãè¡ãå¿ èŠããããã¯ããããŸããããéåžžã®äœ¿çšéã®99,99ïŒ ã確å®ã«ã«ããŒãããŠããŸãã
ãã£ãŒãããã¯ããããšãããããŸãïŒ
ãã®èšäºã¯æè¿æŽæ°ãããKubernetesããã·ã¥ããŒããžã®ãµã€ã³ã€ã³ã®è©³çŽ°ãè¿œå ãããŸããã
æãåèã«ãªãã³ã¡ã³ã
@ MicahMcKittrick-MSFTç§ã¯ãããéãæããŠãããæ£åžžã«åäœããŠããŸãã ç§ã¯ãããåç §ããŠããŸã
https://docs.microsoft.com/en-us/azure/aks/kubernetes-dashboard#for -rbac-enabled-clusters
ããã·ã¥ããŒãçšã®RBACã䜿çšããŠæ£ç¢ºã«ã
You can also integrate Azure Active Directory authentication to provide a more granular level of access.
ãããè¡ãæ¹æ³ã«ãã£ãšèå³ããããŸãã