0

我正在尝试使用 keycloak 作为我的身份提供者来访问 k8s 仪表板。我使用 keycloak-gatekeeper 进行身份验证。

我的 pod pod1上的 keycloak 配置文件如下

apiVersion: apps/v1
kind: Deployment
metadata:
  name: db
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: db
  template:
    metadata:
      labels:
        app: db
    spec:
      containers:
      - name: gatekeeper
        image: carlosedp/keycloak-gatekeeper:latest
        args:
        - --config=/etc/keycloak-gatekeeper.conf
        ports:
        - containerPort: 3000
          name: service
        volumeMounts:
        - name: gatekeeper-config
          mountPath: /etc/keycloak-gatekeeper.conf
          subPath: keycloak-gatekeeper.conf
        - name: gatekeeper-files
          mountPath: /html
      volumes:
      - name : gatekeeper-config
        configMap:
          name: gatekeeper-config
      - name : gatekeeper-files
        configMap:
          name: gatekeeper-files
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: gatekeeper-config
  namespace: kubernetes-dashboard
  creationTimestamp: null
data:
  keycloak-gatekeeper.conf: |+
    discovery-url: http://keycloak.<IP>.nip.io:8080/auth/realms/k8s-realm
    skip-openid-provider-tls-verify: true
    client-id: k8s-client
    client-secret: <SECRET>
    listen: 0.0.0.0:3000
    debug: true
    ingress.enabled: true
    enable-refresh-tokens: true
    enable-logging: true
    enable-json-logging: true
    redirection-url: http://k8s.dashboard.com/dashboard/
    secure-cookie: false
    encryption-key: vGcLt8ZUdPX5fXhtLZaPHZkGWHZrT6aa
    enable-encrypted-token: false
    upstream-url: http://127.0.0.0:80
    forbidden-page: /html/access-forbidden.html
    headers:
        Bearer : <bearer token>
    resources:
    - uri: /*
      groups:
      - k8s-group
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: gatekeeper-files
  namespace: kubernetes-dashboard
  creationTimestamp: null
data:
  access-forbidden.html: html file
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: db
  name: db
  namespace: kubernetes-dashboard
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: service
  selector:
    app: db
  type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
    name: db
    namespace: kubernetes-dashboard
    annotations:
      kubernetes.io/ingress.class: "nginx"
      nginx.ingress.kubernetes.io/rewrite-target: /
      nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
     
spec:
  rules:
    - host: k8s.dashboard.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
           service:
             name: db
             port:
               number: 80

当我访问时,k8s.dashboard.com我得到了这个 URL,它正在将我导航到 keycloak 页面进行身份验证。

http://keycloak.<IP>.nip.io:8080/auth/realms/k8s-realm/protocol/openid-connect/auth?client_id=k8s-client&redirect_uri=http%3A%2F%2Fk8s.dashboard.com%2Fdashboard%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=23c4b0ff-259f-45c0-934a-98fc780363e6

登录到 keycloak 后,它向我抛出 404 页面,并且重定向的 URL 是

http://k8s.dashboard.com/dashboard/oauth/callback?state=23c4b0ff-259f-45c0-934a-98fc780363e6&session_state=4c698f90-4e03-44a9-b231-01a418f0d569&code=9ab6a309-98ad-4d61-989f-116f0b151522.4c698f90-4e03-44a9-b231-01a418f0d569.520395c1-d601-4502-981a-b1c08861ab3d

如您所见,在 k8s.dashboard.com/dashboard 之后添加了额外的 /oauth/callback 端点。如果我删除 /oauth/callback 那么它会将我重定向到 k8s 仪表板登录页面。

我的 pod 日志文件如下:

{"level":"info","ts":1626074166.8771496,"msg":"client request","latency":0.000162174,"status":307,"bytes":95,"client_ip":"172.17.0.8:43276","method":"GET","path":"/favicon.ico"}
{"level":"info","ts":1626074166.9270697,"msg":"client request","latency":0.000054857,"status":307,"bytes":330,"client_ip":"172.17.0.8:43276","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1626074176.2642884,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1626074176.264481,"msg":"client request","latency":0.000197256,"status":307,"bytes":95,"client_ip":"172.17.0.8:43276","method":"GET","path":"/"}
{"level":"info","ts":1626074176.2680361,"msg":"client request","latency":0.000041917,"status":307,"bytes":330,"client_ip":"172.17.0.8:43276","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1626074185.140641,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1626074185.1407247,"msg":"client request","latency":0.000091046,"status":307,"bytes":95,"client_ip":"172.17.0.8:43276","method":"GET","path":"/"}
{"level":"info","ts":1626074185.1444902,"msg":"client request","latency":0.000042129,"status":307,"bytes":330,"client_ip":"172.17.0.8:43276","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1626074202.1827211,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1626074202.182838,"msg":"client request","latency":0.000122802,"status":307,"bytes":95,"client_ip":"172.17.0.8:43276","method":"GET","path":"/favicon.ico"}
{"level":"info","ts":1626074202.1899397,"msg":"client request","latency":0.000032541,"status":307,"bytes":330,"client_ip":"172.17.0.8:43276","method":"GET","path":"/oauth/authorize"}

这里有什么问题?任何帮助将不胜感激!

4

0 回答 0