Giter Site home page Giter Site logo

novakov-alexey-zz / krb-operator Goto Github PK

View Code? Open in Web Editor NEW
15.0 4.0 4.0 319 KB

Kerberos Operator for Kubernetes & OpenShift

Scala 78.59% Shell 0.06% Dockerfile 0.26% Makefile 2.06% JavaScript 3.28% Dhall 15.74%
kdc kadmin keytabs principal kubernetes-operator kerberos openshift-operator

krb-operator's Introduction

[ARCHIVED] Kerberos Operator

Please use new version: https://github.com/novakov-alexey/krb-operator2

Codacy Badge Docker Hub

This operator deployes KDC, Kadmin servers and creates principals and their keytabs as k8s secrets. Developed using Freya Scala library.

Operator use cases

Why to use this Operator?

  • Your SPNEGO authentication requires keytab mounted to a Pod: deploy this operator with required principals to get automatically created secrets with keytabs inside

  • Rapid application development having KDC running inside the K8s cluster: deploy this operator and use automatically created service to call KDC or Kadmin servers

  • Principals and keytabs management using K8s custom resources: deploy this operator using Krb resource with required list of principals, and their predefined or random passwords

How to install

Prerequisites

Installation Steps

Define namespace as environment variable:

export NAMESPACE=<put desired namespace>

On Kubernetes

# install RBAC
wget -O- -q https://raw.githubusercontent.com/novakov-alexey/krb-operator/master/manifest/rbac.dhall | \
    dhall-to-yaml | kubectl create -n ${NAMESPACE} -f -

# install operator
wget -O- -q https://raw.githubusercontent.com/novakov-alexey/krb-operator/master/manifest/kube-deployment.dhall | \
    dhall-to-yaml | kubectl create -n ${NAMESPACE} -f -

Alternatively, just clone this repository and run make install in root folder of the repository. Run make uninstall to uninstall Kerberos Operator. For OpenShift deployment use make install-os and make uninstall-os

On OpenShift

# install RBAC
wget -O- -q https://raw.githubusercontent.com/novakov-alexey/krb-operator/master/manifest/rbac.dhall | \
    dhall-to-yaml | oc create -n ${NAMESPACE} -f -

# install operator
wget -O- -q https://raw.githubusercontent.com/novakov-alexey/krb-operator/master/manifest/openshift-deployment.dhall | \
    dhall-to-yaml | oc create -n ${NAMESPACE} -f -

Deploy Specific Operator Version

In order to deploy a specific version, clone above manifest files and change the image tag in the krb-operator container. For example:

-image: alexeyn/kerberos-operator:0.4.10
+image: alexeyn/kerberos-operator:0.4.11

How to uninstall

wget -O- -q https://raw.githubusercontent.com/novakov-alexey/krb-operator/master/manifest/rbac.dhall | \
 		NAMESPACE=${NAMESPACE} dhall-to-yaml | kubectl delete -n ${NAMESPACE} -f -
	
wget -O- -q https://raw.githubusercontent.com/novakov-alexey/krb-operator/master/manifest/kube-deployment.dhall | \
		NAMESPACE=${NAMESPACE} dhall-to-yaml | kubectl delete -n ${NAMESPACE} -f -

kubectl delete crd krbservers.krb-operator.novakov-alexey.github.io
kubectl delete crd principalss.krb-operator.novakov-alexey.github.io

Custom Resource Definitions

KrbServer

Below resource creates:

  • KDC and Kadmin servers running as two separate containers running in a single Pod
apiVersion: krb-operator.novakov-alexey.github.io/v1
kind: KrbServer
metadata:
  name: my-krb
  namespace: test
spec:
  realm: EXAMPLE.COM

KrbServer Spec

realm - Kerberos realm where all principals will be created

PrincipalList

Below resource creates:

  • Principals and their keytabs based on the principal list
apiVersion: krb-operator.novakov-alexey.github.io/v1
kind: Principals
metadata:
  name: my-krb1
  namespace: test
  labels:
    krb-operator.novakov-alexey.github.io/server: my-krb # reference to KrbServer
spec:
  list:
    - name: client1
      password:
        type: static
        value: mypass
      keytab: cluster.keytab
      secret:
        type: Keytab
        name: cluster-keytab
    - name: user2
      keytab: cluster.keytab
      secret:
        type: KeytabAndPassword
        name: cluster-keytab

PrincipalList Spec

  • list - array of principals

Principal has the following properties:

  • name - principal name without realm in it. Realm will be added automatically using value of spec.realm property

  • password - a property with two different types.

    static: with password in the value field.

    random: operator generates random password. it does not require password property in the resource at all.

    Missing password property or default value is random.

  • keytab - it is key in the secret object. Secret can have more than one data keys, i.e. more than one keytab files

  • secret - a property with two different types.

    Keytab - create keytab as K8s Secret, name is the Secret name.

    KeytabAndPassword - create keytab with separate password entry as K8s Secret, name is the Secret name, principal[i].name is a key of a secret for principal password

    K8s secret name. Every principal in the array can have its own secret name, so that multiple secrets will be created

Kubernetes objects

If you apply above two custom resources as is, then it will produce the following objects in the metadata.namespace, i.e. test namespace:

Secret

Containing Kerberos keytab as secret data:

kubectl describe secret cluster-keytab  -n test
Name:         cluster-keytab
Namespace:    test
Labels:       app=krb
Annotations:  <none>

Type:  opaque

Data
====
cluster.keytab:  274 bytes
user2:           10 bytes

Property principals.secret in the Krb spec can be different, so that it will lead to multiple/different secrets created by the Kerberos Operator.

Service

A Service for KDC, kadmin, kpasswd with their TCP/UDP ports:

my-krb   ClusterIP   172.30.37.134  <none>  88/TCP,88/UDP,464/UDP,749/UDP,749/TCP

Pod

Krb Pod for KDC, kadmin, kpasswd servers is deployed with two containers:

kubectl get pod my-krb-1-gk52x -n test

NAME             READY   STATUS    RESTARTS   AGE
my-krb-1-gk52x   2/2     Running   0          24m

Krb Pod is deployed as Deployment resource:

NAME                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/my-krb   1/1     1            1           26s

Create or Update resource

Examples:

kubectl create -f examples/my-krb-1.yaml
# or
kubectl apply -f examples/my-krb-1.yaml

A create or update resource event are handled in the same way. They will create:

  • Deployment, Service, Pod, if some of them is missing

  • Kerberos principal, if its spec.list[i].secret is missing. Changes in values other than secret are ignored (current limitation). In order to add new principal to the spec.principals either put new/not-existing secret name and desired new principal name. Otherwise, delete Krb resource and create new one with the desired principals.

Delete resource

A delete event deletes all objects created by the create or apply events: Deployment, Service, Pod and Secrets(s)

kubectl delete -f examples/my-krb-1.yaml

Build locally

sbt docker:publishLocal

Then use your built image in manifest/*-deployment.dhall file for krb-operator container.

krb-operator's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

langley marquetemb doytsujin tothandor

krb-operator's Issues

Cannot create secret from principals

Hi, When I use this operator, there are two problems.

  1. PrincipalController watch pod by principal name not by labels.

  2. In krbServer container, The realm address is set to the krbserver name.

I changed this

[realms]
EXAMPLE.COM = {
   kdc = my-krb
   admin_server = my-krb
   kpasswd_server = my-krb
}

to

[realms]
EXAMPLE.COM = {
   kdc = localhost:8888
   admin_server = localhost:8749
   kpasswd_server = localhost:8464
}

by referring to the service port. and it's working.

Are there any additional options that need to be set apart from the README description?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.