七周的秋令营 - 秋天的第三周

[essie-chiang]

https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/authentication_and_authorization/configuring-identity-providers#configuring-htpasswd-identity-provider

---

工作忙起来了，然而第三周的挑战还是按时来了呢。。。

[essie-chiang]

Create an HTPasswd identity provider for your cluster. Create two users ceadmin and cedev with a password of your choice. Assign the cluster-admin role to the ceadmin user. Assign the edit role to cedev user. Verify that you can login to the cluster as the users you created. What are the differences in between the roles? Remove the kubeadmin user.

GPT 帮忙生成的步骤

Create an HTPasswd Identity Provider:

In OpenShift, you can create an HTPasswd identity provider to manage users and passwords. You can create an HTPasswd identity provider by creating a secret with HTPasswd credentials and then referencing it in an OAuth configuration.

Here is a simplified example of creating an HTPasswd secret:

htpasswd -c -B -b /path/to/htpasswd-file ceadmin password1
htpasswd -b /path/to/htpasswd-file cedev password2
oc create secret generic htpass-secret --from-file=htpasswd=/path/to/htpasswd-file

You will replace /path/to/htpasswd-file with the actual path to the HTPasswd file.

Assign Roles:

In OpenShift, you can assign roles to users at the project (namespace) level. The cluster-admin and edit roles can be assigned as follows:

To assign the cluster-admin role to the ceadmin user:

oc adm policy add-cluster-role-to-user cluster-admin ceadmin

To assign the edit role to the cedev user:

oc adm policy add-role-to-user edit cedev

Verify User Login:

After creating the users and assigning roles, verify that you can log in to the cluster with the created users. You can use the oc login command to log in as a specific user:

oc login -u ceadmin -p password1
oc login -u cedev -p password2

Verify that you have the expected permissions and can perform actions according to the assigned roles.

Remove kubeadmin User:

If you want to remove the kubeadmin user, you can disable it by revoking its permissions:

oc adm policy remove-cluster-role-from-user cluster-admin kubeadmin

After revoking its permissions, you can also delete the kubeadmin user:

oc delete user kubeadmin

However, be cautious when removing the kubeadmin user, as it's the default administrative user and should only be removed when you have alternative administrative accounts configured.

The differences between the roles are:

cluster-admin: Users with the cluster-admin role have full administrative access to the entire OpenShift cluster. They can perform all actions, including creating and managing projects and users.

edit: Users with the edit role have edit access to projects (namespaces) within the cluster. They can create, update, and delete resources within a project but do not have cluster-wide administrative privileges.

Remember to follow best practices for user and role management in your OpenShift cluster to ensure secure and efficient operations.

[essie-chiang]

SUMMARY htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users. If htpasswd cannot access a file, such as not being able to write to the output file or not being able to read the file in order to update it, it returns an error status and makes no changes.

   Resources available from the Apache HTTP server can be restricted to just the users listed  in  the  files
   created  by  htpasswd.  This program can only manage usernames and passwords stored in a flat-file. It can
   encrypt and display password information for use in other types of data stores, though. To use a DBM data‐
   base see dbmmanage or htdbm.

   htpasswd  encrypts  passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the sys‐
   tem's crypt() routine. Files managed by htpasswd may contain a mixture  of  different  encoding  types  of
   passwords;  some user records may have bcrypt or MD5-encrypted passwords while others in the same file may
   have passwords encrypted with crypt().

   This manual page only lists the command line arguments. For details of the directives necessary to config‐
   ure user authentication in httpd see the Apache manual, which is part of the Apache distribution or can be
   found at http://httpd.apache.org/.

OPTIONS -b Use batch mode; i.e., get the password from the command line rather than prompting for it. This option should be used with extreme care, since the password is clearly visible on the command line. For script use see the -i option. Available in 2.4.4 and later.

   -i     Read the password from stdin without verification (for script usage).

   -c     Create the passwdfile. If passwdfile already exists, it is rewritten  and  truncated.  This  option
          cannot be combined with the -n option.

   -n     Display  the  results on standard output rather than updating a file. This is useful for generating
          password records acceptable to Apache for inclusion in non-text data stores.  This  option  changes
          the  syntax  of the command line, since the passwdfile argument (usually the first one) is omitted.
          It cannot be combined with the -c option.

   -m     Use MD5 encryption for passwords. This is the default (since version 2.2.18).

   -B     Use bcrypt encryption for passwords. This is currently considered to be very secure.

[essie-chiang]

To use the kubeconfig file to authenticate oc commands, you must copy the file to your workstation and set the absolute or relative path to the KUBECONFIG environment variable. Then, you can run any oc command that requires cluster administrator privileges without logging in to OpenShift. 若要使用 kubeconfig 该文件对 oc 命令进行身份验证，必须将文件复制到工作站，并设置 KUBECONFIG 环境变量的绝对或相对路径。然后，您可以运行任何 oc 需要集群管理员权限的命令，而无需登录到 OpenShift。 [user@host ~]$ export KUBECONFIG=/home/user/auth/kubeconfig [user@host ~]$ oc get nodes As an alternative, you can use the --kubeconfig option of the oc command. 作为替代方法，您可以使用 --kubeconfig oc 命令的选项。 [user@host ~]$ oc --kubeconfig /home/user/auth/kubeconfig get nodes

[essie-chiang]

Create an HTPasswd identity provider for your cluster. Create two users ceadmin and cedev with a password of your choice. Assign the cluster-admin role to the ceadmin user. Assign the edit role to cedev user. Verify that you can login to the cluster as the users you created. What are the differences in between the roles? Remove the kubeadmin user.

htpasswd -c -B -b /tmp/htpasswd ceadmin redhat123 htpasswd -B -b /tmp/htpasswd cedev redhat123

oc create secret generic htpasswd-secret \ --from-file htpasswd=/tmp/htpasswd -n openshift-config

[user@host ~]$ oc extract secret/htpasswd-secret -n openshift-config \ --to /tmp/ --confirm /tmp/htpasswd

ceadmin cedev

oc adm policy add-cluster-role-to-user cluster-admin ceadmin

oc adm policy add-cluster-role-to-user edit cedev

[essie-chiang]

$ oc get secret kubeadmin -n kube-system
NAME        TYPE     DATA   AGE
kubeadmin   Opaque   1      21h

oc explain oauth.spec.identityProviders

oc explain oauth.spec.identityProviders.mappingMethod KIND: OAuth VERSION: config.openshift.io/v1

FIELD: mappingMethod

DESCRIPTION: mappingMethod determines how identities from this provider are mapped to users Defaults to "claim"

With the default claim value, you cannot log in with different identity providers. 控制如何在提供程序标识和用户对象之间建立映射。使用默认值 claim 时，您无法使用其他身份提供程序登录。

oc get oauth cluster -o yaml > oauth.yaml oc replace -f oauth.yaml

[essie-chiang]

export KUBECONFIG=/home/user/auth/kubeconfig 本环境中没有这个路径，但是找了下还是能找到kubeconfig export KUBECONFIG=/home/admin/kubeconfig Unable to connect to the server: x509: certificate signed by unknown authority

理解本环境 $ oc config view apiVersion: v1 clusters:

• cluster: server: https://api.xxx.cohort.com:6443 name:xxx contexts:
• context: cluster:xxx user: admin name: admin current-context: admin kind: Config preferences: {} users:
• name: admin user: client-certificate-data: REDACTED client-key-data: REDACTED

删除 kubeadmin 用户 secret oc delete secret kubeadmin -n kube-system

然后登陆 ceadmin oc config view 的内容参考 https://medium.com/@deyagondsamarth/understanding-the-kubeconfig-3ef43e8716d