Using keycloak as external OIDC provider on kubesphere

hk·2023년 3월 23일
0

SSO

목록 보기
2/2

Prerequisites

Kubernetes v1.21.5
a default Storage Class before install kubeflow
kubesphere v3.3


Install Kubesphere

https://kubesphere.io/docs/v3.3/installing-on-kubernetes/introduction/overview/

Execute the following commands to start installation:

kubectl apply -f https://github.com/kubesphere/ks-installer/releases/download/v3.3.1/kubesphere-installer.yaml
kubectl apply -f https://github.com/kubesphere/ks-installer/releases/download/v3.3.1/cluster-configuration.yaml

Use kubectl get pod --all-namespaces to see whether all pods are running normally in relevant namespaces of KubeSphere. If they are, check the port (30880 by default) of the console through the following command:

kubectl get svc/ks-console -n kubesphere-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ks-console NodePort 10.233.28.132 80:30880/TCP 11m

Make sure port 30880 is opened in security groups and access the web console through the NodePort (IP:30880) with the default account and password (admin/P@88w0rd).


keycloak setting on Kubesphere

Edit kubesphere setting.

kubectl -n kubesphere-system edit cc ks-installer

  alerting:
    enabled: false
  auditing:
    enabled: false
  authentication:
    authenticateRateLimiterDuration: 10m0s
    authenticateRateLimiterMaxTries: 100   // default 10
    jwtSecret: ""
    oauthOptions:
      accessTokenInactivityTimeout: 30m
      accessTokenMaxAge: 1h
      identityProviders:
      - mappingMethod: auto
        name: keycloak
        provider:
          clientID: kubesphere
          clientSecret: RfVoSi9W2zM2bIKRd7bZWz0z1FP0oSsm
          idTokenSkipVerify: true
          issuer: 'https://{keycloak-server}:{keycloak-port}/realms/{your_reaml}'
          redirectURL: 'http://{kubesphere-server}:30880/oauth/redirect/keycloak'
        scopes:
        - openid
        - email
        - profile
        type: OIDCIdentityProvider
  common:
    core: 

To prevent the Vanned from system, Change authenticateRateLimiterMaxTries 10 to 100 or something.

kubectl rollout restart -n kubesphere-system deploy ks-installer
kubectl rollout restart -n kubesphere-system deploy ks-apiserver

keycloak

keycloak 에 유저 만들기
keyclaok에client 세팅


profile
cloud master가 될 거야! (not 석사)

0개의 댓글