Configure LDAP/AD

Edit

If your enterprise uses LDAP/AD for user authentication, you can integrate it with KubeSphere built-in OpenLDAP to authenticate users when logging in the KubeSphere console.

In this tutorial, we will demonstrate how to configure AD accounts. It also works for LDAP.

Note: We will use a script to configure this process. KubeSphere has the plan to provide UI for configuring LDAP/AD in v3.0.

Inspect Active Directory

Connect to windows server 2016, enter Active Director Administrator, obtain managerDN (It could be a read-only account)

Create and Edit Script

Connect to SSH of KubeSphere server, create a script and name it inject-ks-account.sh, then replace the values of key host、managerDN、managerPWD、userSearchBase to the actual AD values.

  1. #!/bin/bash
  2. set -e
  4. host="139.198.111.111:30222"    # Replace its value with your AD server IP and port
  5. managerDN="cn=Administrator,cn=Users,dc=kubesphere,dc=com"  # Replace its value with your AD Administrator account. It could be read-only.
  6. managerPWD="123456789"          # Replace with the Administrator's password
  7. userSearchBase="cn=Users,dc=kubesphere,dc=com"   # Depend on your AD configuration
  8. sidecar="kubespheredev/ad-sidecar:v0.0.1"
  10. generate_config() {
  11. cat << EOF
  12. apiVersion: v1
  13. data:
  14.   sync.yaml: |
  15.     sync:
  16.       interval: "300s"
  17.     src:
  18.       host: "${host}"
  19.       managerDN: "${managerDN}"
  20.       managerPWD: "${managerPWD}"
  21.       userSearchBase: "${userSearchBase}"
  22.       usernameAttribute: "sAMAccountName"
  23.       descriptionAttribute: "description"
  24.       mailAttribute: "mail"
  25.     dst:
  26.       host: "openldap.kubesphere-system.svc:389"
  27.       managerDN: "cn=admin,dc=kubesphere,dc=io"
  28.       managerPWD: "admin"
  29.       userSearchBase: "ou=Users,dc=kubesphere,dc=io"
  30. kind: ConfigMap
  31. metadata:
  32.   name: ad-sync-config
  33.   namespace: kubesphere-system
  34. EOF
  35. }
  37. # apply sync config
  38. generate_config | kubectl apply -f -
  40. # inject sidecar
  41. kubectl -n kubesphere-system get deploy ks-account -o json | jq '.spec.template.spec.volumes += [{"configMap":{"name":"ad-sync-config"},"name":"ad-sync-config"}]' | jq '.spec.template.spec.containers += [{"command":["ad-sidecar","--logtostderr=true","--v=2"],"image":"'${sidecar}'","imagePullPolicy":"IfNotPresent","name":"ad-sidecar","ports":[{"containerPort":19090,"protocol":"TCP"}],"volumeMounts":[{"mountPath":"/etc/kubesphere/sync.yaml","name":"ad-sync-config","subPath":"sync.yaml"}]}]' | kubectl apply -f -
  43. # use proxy port
  44. kubectl -n kubesphere-system get svc ks-account -o json | jq '.spec.ports[0].targetPort=19090' | kubectl apply -f -

Run and Verify

After you created the script, you can run inject-ks-account.sh to configure AD accounts.

Please note that this script will restart Pod ks-account. Your account might be not available for a few minutes. You can log in KubeSphere to check the accounts that read from AD server when the Pod ks-account is running.

At this point, you need to use cluster admin account to assign roles to the AD users. After the roles have been assigned, these AD accounts are ready to use in KubeSphere.