gpt4 book ai didi

kubernetes - 如何使用 keycloak-gatekeeper 保护 Kibana 仪表板?

转载 作者:行者123 更新时间:2023-12-02 11:56:44 24 4
gpt4 key购买 nike

当前流量:

incoming request (/sso-kibana) --> Envoy proxy --> /sso-kibana



预计流量:

incoming request (/sso-kibana) --> Envoy proxy --> keycloak-gatekeeper --> keycloak

--> If not logged in --> keycloak loging page --> /sso-kibana

--> If Already logged in --> /sso-kibana



我将 keycloak-gatekeeper 部署为具有以下配置的 k8s 集群:

keycloak-gatekeeper.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: keycloak-gatekeeper
name: keycloak-gatekeeper
spec:
selector:
matchLabels:
app: keycloak-gatekeeper
replicas: 1
template:
metadata:
labels:
app: keycloak-gatekeeper
spec:
containers:
- image: keycloak/keycloak-gatekeeper
imagePullPolicy: Always
name: keycloak-gatekeeper
ports:
- containerPort: 3000
args:
- "--config=/keycloak-proxy-poc/keycloak-gatekeeper/gatekeeper.yaml"
- "--enable-logging=true"
- "--enable-json-logging=true"
- "--verbose=true"
volumeMounts:
-
mountPath: /keycloak-proxy-poc/keycloak-gatekeeper
name: secrets
volumes:
- name: secrets
secret:
secretName: gatekeeper

网守.yaml
discovery-url: https://keycloak/auth/realms/MyRealm
enable-default-deny: true
listen: 0.0.0.0:3000
upstream-url: https://kibana.k8s.cluster:5601
client-id: kibana
client-secret: d62e46c3-2a65-4069-b2fc-0ae5884a4952

Envoy.yaml
- name: kibana
hosts: [{ socket_address: { address: keycloak-gatekeeper, port_value: 3000}}]

问题:

我可以在/Kibana 上调用 keycloak 登录,但登录后用户不会转到/Kibana url,即 Kibana 仪表板未加载。

注: Kibana 也作为 k8s 集群运行。

引用文献:
https://medium.com/@vcorreaniche/securing-serverless-services-in-kubernetes-with-keycloak-gatekeeper-6d07583e7382

https://medium.com/stakater/proxy-injector-enabling-sso-with-keycloak-on-kubernetes-a1012c3d9f8d

更新 1:

我可以在/sso-kibana 上调用 keycloak 登录,但在输入凭据后它会给出 404。流程如下:

第 1 步。点击 http://something/sso-kibana
第 2 步。 Keycloak 登录页面在 https://keycloak/auth/realms/THXiRealm/protocol/openid-connect/auth 打开?...
第三步。输入凭据后重定向到此 URL https://something/sso-kibana/oauth/callback?state=890cd02c-f ...
第 4 步。 404

更新 2:

在 Envoy.yaml 中添加新路由后,404 错误得到解决

Envoy.yaml
  - match: { prefix: /sso-kibana/oauth/callback }
route: { prefix_rewrite: "/", cluster: kibana.k8s.cluster }

因此,预期流程(如下所示)现在工作正常。

incoming request (/sso-kibana) --> Envoy proxy --> keycloak-gatekeeper --> keycloak

--> If not logged in --> keycloak loging page --> /sso-kibana

--> If Already logged in --> /sso-kibana

最佳答案

在您的配置中,您明确启用了 enable-default-deny这在文档中解释为:

enables a default denial on all requests, you have to explicitly say what is permitted (recommended)



启用后,您需要通过 resources 指定 url、方法等。 [1] 或命令行参数 [2] 中所示的条目。对于 Kibana,您可以从以下内容开始:
resources:
- uri: /app/*

[1] https://www.keycloak.org/docs/latest/securing_apps/index.html#example-usage-and-configuration

[2] https://www.keycloak.org/docs/latest/securing_apps/index.html#http-routing

关于kubernetes - 如何使用 keycloak-gatekeeper 保护 Kibana 仪表板?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57497526/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com