When using Keystone with Kubernetes, the Kubernetes dashboard is Using Keystone with the kubernetes-dashboard Any credentials thatĪre not supplied via environment variable are queried at run-time forĮach invocation of kubectl. IP address that is reachable from the client. Special attention to the OS_AUTH_URL variable and ensure it is using an Variables in kube-keystone.sh to match valid user credentials. The kube-keystone.sh script we downloaded earlier. These environment variables are exported in Retrieving a token for us using the environment variables common to The client-keystone-auth snap will automate ~/.kube/config, we can use kubectl to authenticate with the api server With the updated config file copied above in Now ensure the user is added to the project created above.Īt this point, Keystone is set up and we have a domain, project, and userĬreated in Keystone. Keystone-policy configuration option on the kubernetes-master charm. Match with the keystone-policy configuration option on the kubernetes-masterĪs with the roles, the project name must match the value in the Repeat the process for k8s-viewers and k8s-users if desired. You should now create a new domain for Kubernetes.Īfter creating, be sure to set the domain context so users and roles are added to theĬreate an appropriate role for Kubernetes: With: juju run -unit keystone/0 leader-get admin_passwd Named admin with a randomly-generated password. To note that Keystone creates the domain admin_domain by default and has a user If you just deployed Keystone and do not have any credentials set, it is useful Open the address in a web browser and log in with the token obtained previously. You can determine the web address for the OpenStack dashboard by running: juju status openstack-dashboard If this step fails, check that the details in the The script should prompt you to enter an additional command to retrieve the token to At this point theįile should be sourced: source ~/kube-keystone.sh Point at the public address for Keystone, and the username if different. The file will need to be edited to replace the value for OS_AUTH_URL, which should This should be copied to the local client with: juju scp kubernetes-master/0:kube-keystone.sh ~/kube-keystone.sh The Kubernetes master application will generate a utility script. When related to Keystone directly (or to the openstack-integrator:keystone-credentials interface), Or configure the credentials config parameter manually juju trust openstack-integratorįinally add a relation between kubernetes-master and openstack-integrator juju add-relation kubernetes-master:keystone-credentials openstack-integrator:credentials Use 'juju trust' to grant openstack-integrator a permission to access the OpenStack model, To do so, first deploy the openstack-integrator charm juju deploy cs:~containers/openstack-integrator It is possible to re-use it for authenticating and authorising users in Kubernetes. If you have an existing Keystone application deployed as part of OpenStack in a separate Juju model, Using existing Keystone from an OpenStack model Note that, if security is a concern, this access can subsequently be reversed with: juju unexpose keystone With Juju by running: juju expose keystone You will also need to access the dashboard for the following steps. The Keystone application will need to be accessible by kubectl running on your desktop. You can check that the new applications have deployed and are running with: juju status You should now add a relation for the kubernetes-master nodes to accept KeystoneĬredentials: juju add-relation keystone:identity-credentials kubernetes-master:keystone-credentials An example bundle is available for download.ĭeploy the bundle with the following command: juju deploy. Which will deploy and relate, Keystone, the OpenStack dashboard and a suitableĭatabase. This is easily achieved by using a bundle, OpenStack, the default supported version for Ubuntu 18.04 (Bionic) Note: These instructions assume you are working with the Queens release of
CONFIGURE SVN WITH LDAP AND LOCAL AUTHENTICATION INSTALL
This can be done by running: sudo snap install client-keystone-auth -edge You will need to install the Keystone client.For LDAP authentication, this documentation assumes you already have a suitable LDAP.This document assumes you have already installed Charmed Kubernetes.Or both authentication and authorisation. Authorisation deals with what a user is allowed to do.Ĭharmed Kubernetes can be configured to use Keystone and LDAP for authentication only.There is a distinction between authentication and authorisation:
0 kommentar(er)
