Skip to content

Commit

Permalink
ocp azure sso
Browse files Browse the repository at this point in the history
  • Loading branch information
wangzheng422 committed Dec 19, 2024
1 parent eb04a9a commit 93464aa
Show file tree
Hide file tree
Showing 8 changed files with 179 additions and 8 deletions.
187 changes: 179 additions & 8 deletions redhat/ocp4/4.16/2024.12.azure.sso.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
# openshift 4.16 integration with Azure SSO

- https://cloud.redhat.com/experts/idp/entra-id-with-group-names/


- https://vmware.fqdn.nl/2023/05/10/openshift-oauth-with-azure-idp/
OpenShift support integration with Azure SSO through OpenID. In this article, we will show you how to integrate OpenShift 4.16 with Azure SSO.

# azure portal setting

Expand Down Expand Up @@ -68,6 +65,18 @@ We also create some groups and add some users to the groups.
- L3Support(group)
- l3.u01(user)
- l3.u02(user)
- RetalixSupport(group)
- ret.u01(user)
- ret.u02(user)
- POSIMViewer(group)
- pos.v01(user)
- pos.v02(user)
- POSIMSupport(group)
- pos.s01(user)
- pos.s02(user)
- POSIMAdmin(group)
- pos.a01(user)
- pos.a02(user)

![](imgs/2024.12.azure.sso.md/2024-12-19-19-50-46.png)

Expand Down Expand Up @@ -108,6 +117,9 @@ oc delete identity <user-identity>

# openshift group sync

OpenShift SSO integration with azure will create user in openshift during the first login. But the group information will not be synced. We need to use `Group Sync Operator` to sync the group information.

Reference:
- https://cloud.redhat.com/experts/idp/az-ad-grp-sync/

In operator hub, search `group` and install the `Group Sync Operator`.
Expand All @@ -128,7 +140,7 @@ oc create secret generic azure-group-sync -n group-sync-operator \

```

Create a `GroupSync` object in openshift, with the example config.
Create a `GroupSync` object in openshift, with the example config below.

![](imgs/2024.12.azure.sso.md/2024-12-19-17-50-52.png)

Expand All @@ -146,22 +158,181 @@ spec:
name: azure-group-sync
namespace: group-sync-operator
groups:
- L1support
- L2support
- L3support
- L1support
- L2support
- L3support
- RetalixSupport
- POSIMViewer
- POSIMSupport
- POSIMAdmin
prune: false
schedule: '* * * * *'
```
# openshift role and rolebinding
Now, user can login, and group information is synced. We need to create role and rolebinding for the groups. So after user login, it has the correct permission.
Now, we create role for different groups. Below is an example for the roles. You can create your own roles based on your requirement.
```bash
# create namespace for demo
oc create ns retalix

oc create ns posim

# define the roles, change the rules based on your requirement
cat << EOF > ${BASE_DIR}/data/install/demo.role.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: l1-support-role
rules:
- apiGroups: [""]
resources: ["pods", "services", "events", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: l2-support-role
rules:
- apiGroups: [""]
resources: ["pods", "services", "events", "namespaces", "configmaps", "endpoints"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["pods/log", "pods/exec"]
verbs: ["get", "list", "create"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: l3-support-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods/exec", "pods/log"]
verbs: ["create", "get", "list"]
- apiGroups: ["security.openshift.io"]
resources: ["securitycontextconstraints"]
verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: retalix-support-role
namespace: retalix
rules:
- apiGroups: [""]
resources: ["pods", "pods/log", "pods/exec", "services", "endpoints", "persistentvolumeclaims", "configmaps", "secrets", "events", "namespaces"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["route.openshift.io"]
resources: ["routes"]
verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: posim-viewer-role
namespace: posim
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: posim-support-role
namespace: posim
rules:
- apiGroups: [""]
resources: ["pods", "pods/log", "pods/exec", "services", "endpoints", "configmaps", "events", "namespaces"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "statefulsets"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: posim-admin-role
namespace: posim
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
EOF

oc apply -f ${BASE_DIR}/data/install/demo.role.yaml

# oc delete -f ${BASE_DIR}/data/install/demo.role.yaml

```

Apply the role to groups with rolebinding. First, select a group.

![](imgs/2024.12.azure.sso.md/2024-12-19-21-35-50.png)

Switch to rolebinding view, and create a rolebinding for the group.

![](imgs/2024.12.azure.sso.md/2024-12-19-21-38-43.png)

We want to define cluster role binding for the group. So we select `ClusterRoleBinding` in the `RoleBinding` page. Give it a name, and select the role we created before.

![](imgs/2024.12.azure.sso.md/2024-12-19-21-39-48.png)

If you want to add a namespaced role to another group. Select `RoleBinding` in the `RoleBinding` page. Give it a name, find the namespace, and select the role we created before.

![](imgs/2024.12.azure.sso.md/2024-12-19-21-44-47.png)

# test with login

First, we try to login as `l1.u01` user, which is in `L1Support` group.

![](imgs/2024.12.azure.sso.md/2024-12-19-21-46-51.png)

Login with `l1.u01` user's `user principal name` and password. You can see the web console.

![](imgs/2024.12.azure.sso.md/2024-12-19-21-48-51.png)

If you try to login as `ret.u01` user, which is in `RetalixSupport` group, you can see the web console.

![](imgs/2024.12.azure.sso.md/2024-12-19-22-12-30.png)

# end

- https://cloud.redhat.com/experts/idp/entra-id-with-group-names/

- https://vmware.fqdn.nl/2023/05/10/openshift-oauth-with-azure-idp/

```bash
oc get pod -n openshift-authentication

Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 93464aa

Please sign in to comment.