1、配置本地用户
之前安装的时候选择了htpasswd验证方式
先创建用户
# htpasswd -c /etc/origin/master/htpasswd admin
授权为集群管理员
# oc adm policy add-cluster-role-to-user cluster-admin admin
登陆到oc
# oc login -u admin
2、配置服务账号
平时的管理可以用本地账号,但是如果用调用k8s接口虽然也可以使用本地账号TOKEN但是很快会过期,这时候就要用服务账号了
创建服务用户
# oc project default
# oc create sa api-admin
授权为集群管理员
# oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:default:api-admin
获取服务账号长期TOKEN
# oc get sa/api-admin --template='{{range .secrets}}{{ .name }} {{end}}' | xargs -n 1 oc get secret --template='{{ if .data.token }}{{ .data.token }}{{end}}' | head -n 1 | base64 -d -
3、使用ldap验证用户
人多了账号不好管理,就需要接入ldap了
编辑/etc/origin/master/master-config.yaml
加入以下内容
oauthConfig:
assetPublicURL: https://www.oc.example.cn:8443/console/
grantConfig:
method: auto
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: Ldap_auth
provider:
apiVersion: v1
attributes:
email:
- mail
id:
- dn
name:
- cn
preferredUsername:
- uid
bindDN: uid=ldapreader,cn=users,dc=example,dc=com
bindPassword: 123456
insecure: true
kind: LDAPPasswordIdentityProvider
url: ldap://192.168.1.1:389/cn=users,dc=example,dc=com?uid
重启master以使更改生效
# master-restart api
# master-restart controllers
同步ldap账号
编辑/etc/origin/master/rfc2307_config.yaml
加入以下内容
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://192.168.1.1:389
insecure: true
rfc2307:
groupsQuery:
baseDN: "cn=groups,dc=example,dc=com"
scope: sub
derefAliases: never
pageSize: 0
filter: (objectClass=posixGroup)
groupUIDAttribute: dn
groupNameAttributes: [ cn ]
groupMembershipAttributes: [ member ]
usersQuery:
baseDN: "dc=example,dc=com"
scope: sub
derefAliases: never
pageSize: 0
userUIDAttribute: dn
userNameAttributes: [ cn ]
tolerateMemberNotFoundErrors: false
tolerateMemberOutOfScopeErrors: false
同步命令
# oc adm groups sync --sync-config=/etc/origin/master/rfc2307_config.yaml --confirm
最好加入crontab定时同步
验证用户有没有被同步过来
# oc get group