How to Setup Active Directory or LDAP Authentication for Kubernetes

In this article we’ll take a look at using Active Directory (AD) or LDAP for authenticating to a Kubernetes cluster.

Some of the instructions specific to the setup of AD server might not be relevant for some of you, especially if you want to use your existing LDAP or AD server for authentication. However, if planning to setup an end-to-end environment for dev/test, then the AD setup instructions might be helpful.

Active Directory Setup

In my development setup I use Samba as my Active Directory (AD) Domain Controller to simulate enterprise environments.

Setting up Samba as an AD domain controller is a breeze. I had setup Samba 4 AD by following the instructions mentioned in this link on a Ubuntu PowerPC LE  VM running on an OpenPower server.

Samba 4.X packages are available from the Ubuntu repo itself. The following screenshot shows the samba packages installed in my Ubuntu VM:

samba-ppc64le

Run the following command and follow the instructions to setup samba as your primary domain controller.

# samba-tool domain provision --use-rfc2307 --interactive

Here is the smb.conf from my test setup

# Global parameters
[global]
	workgroup = SAMDOM
	realm = SAMDOM.EXAMPLE.COM
	netbios name = PKB-UBUNTU14-1
	interfaces = lo eth0
	bind interfaces only = Yes
	server role = active directory domain controller
	dns forwarder = 192.168.122.1
	idmap_ldb:use rfc2307 = yes
	ldap server require strong auth = no

[netlogon]
	path = /var/lib/samba/sysvol/samdom.example.com/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

Use the samba-tool for adding users

# samba-tool user add pradipta
New Password: 
Retype Password: 
User 'pradipta' created successfully

# samba-tool user list
Administrator
pradipta
krbtgt
Guest

Keystone Setup

Keystone is setup on the same Ubuntu VM having Samba. Keystone packages are available from Ubuntu repo itself. The following screenshot shows the keystone packages installed in my VM:

keystone-ppc64le

Here is the snapshot of the key sections in the /etc/keystone/keystone.conf file required for AD/LDAP integration:

[DEFAULT]
admin_token = eb18653b1907c4c0e97f
public_bind_host = pkb-ubuntu14-1.kube.com
admin_bind_host = pkb-ubuntu14-1.kube.com

[identity]
driver = ldap

[ldap]
chase_referrals = false
page_size = 1000
query_scope = sub
suffix = CN=Users,DC=samdom,DC=example,DC=com
url = ldap://pkb-ubuntu14-1.kube.com
use_tls = false
#If use_tls = true then the following parameters will need to be uncommented
#tls_req_cert = demand
#tls_cacertfile =<path-to-cert-file>
user = Administrator@samdom.example.com
password = password
user_allow_create = false
user_allow_update = false
user_attribute_ignore = enabled
user_id_attribute = CN
user_mail_attribute = mail
user_name_attribute = sAMAccountName
user_objectclass = organizationalPerson
user_tree_dn = DC=samdom,DC=example,DC=com

If you plan to use an LDAP server instead of AD server, then omit chase_referrals setting. Set the items highlighted in bold as per your LDAP/AD environment.

The admin token is generated using the following command:

# openssl rand -hex 10

Kubernetes only allows connecting to an SSL secured keystone. So you’ll need to enable ssl for keystone.

Edit the [eventlet_server_ssl] and [ssl] section in /etc/keystone/keystone.conf file

[eventlet_server_ssl]
enable = True
certfile = /etc/keystone/ssl/certs/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
cert_required = False

[ssl]
ca_key = /etc/keystone/ssl/private/cakey.pem
key_size = 2048
valid_days = 3650
cert_subject=/C=IN/ST=Karnataka/L=Bangalore/O=MyOrg/CN=pkb-ubuntu14-1.kube.com

Modify the highlighted items in bold as per your environment.

Run the following command to setup SSL for keystone

# keystone-manage ssl_setup  --keystone-user keystone --keystone-group keystone --rebuild

Openssl commands can also be used to setup SSL instead of using keystone-manage. There is a good reference on how to configure SSL for keystone here – http://docs.openstack.org/developer/keystone/kilo/configuration.html

Restart the keystone server for the changes to take effect

# service keystone restart

Kubernetes Config

Ensure the keystone CA certificate as defined via ca_certs param ( /etc/keystone/ssl/certs/ca.pem)

is trusted on the system running the Kubernetes API server.

On RedHat/CentOS based systems, copy the /etc/keystone/ssl/certs/ca.pem file as /etc/pki/ca-trust/source/anchors/pkb-ubuntu14-1.kube.com.crt and run update-ca-trust

On Ubuntu based systems, copy the /etc/keystone/ssl/certs/ca.pem file as /usr/local/share/ca-certificates/pkb-ubuntu14-1.kube.com.crt and run update-ca-certificates

Verifying the Setup

Using keystone client

# keystone --os-cacert /etc/keystone/ssl/certs/ca.pem --os-auth-url "https://pkb-ubuntu14-1.kube.com:5000/" --os-token "eb18653b1907c4c0e97f" --os-endpoint "https://pkb-ubuntu14-1.kube.com:35357/v2.0/" user-list

samba-user

Using curl

# curl -d '{"auth":{"passwordCredentials":{"username": "pradipta", "password": "password"}}}' -H "Content-type: application/json" https://pkb-ubuntu14-1.kube.com:35357/v2.0/tokens -v

{"access": {"token": {"issued_at": "2016-08-12T11:51:33.568886Z", "expires": "2016-08-12T12:51:33Z", "id": "2d79785d44604b519e0f70b728a6b998", "audit_ids": ["5frFnm_uQ7SsnDtmkLt0yA"]}, "serviceCatalog": [], "user": {"username": "pradipta", "roles_links": [], "id": "pradipta", "roles": [], "name": "pradipta"}, "metadata": {"is_admin": 0, "roles": []}}}

Sample Kubeconfig  file to use with the AD/LDAP User

v1
kind: Config
preferences: {}
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR1VENDQXFHZ0F3SUJBZ0lKQUw4NFMxTGUwUTNjTUEwR0NTcUdTSWIzRFFFQkN3VUFNRUl4UURBK0JnTlYKQkFNVU56RTVNaTR4TmpndU1USXlMakUzTXl4SlVEb3hOekl1TVRZdU1DNHlMRWxRT2pFM01pNHhOaTQxT0M0dwpRREUwTmprNE9ERTFOelV3SGhjTk1UWXdOek13TVRJeU5qRTFXaGNOTWpZd056STRNVEl5TmpFMVdqQkNNVUF3ClBnWURWUVFERkRjeE9USXVNVFk0TGpFeU1pNHhOek1zU1ZBNk1UY3lMakUyTGpBdU1peEpVRG94TnpJdU1UWXUKTlRndU1FQXhORF
    server: https://pkb-rhel71-1.kube.com:443
  name: kube.cluster
contexts:
- context:
    cluster: kube.cluster
    namespace: pradipta
    user: pradipta
  name: pradipta-to-kube.cluster
users:
- name: pradipta
  user:
    username: pradipta
    password: password
current-context: pradipta-to-kube.cluster

Pradipta Kumar Banerjee

I'm a Cloud and Linux/ OpenSource enthusiast, with 16 years of industry experience at IBM. You can find more details about me here - Linkedin

You may also like...