当前位置:网站首页>Rancher2.6 monitoring grafana docking LDAP

Rancher2.6 monitoring grafana docking LDAP

2022-07-28 00:54:00 InfoQ

Author's brief introduction
Xie Zeqin ,SUSE Rancher  Technical support engineer , Be responsible for customer maintenance and after-sales technical support services , Provide relevant technical solutions . Have  CKA、CKS  The official certification , Years of experience in Cloud Computing , Experienced from  OpenStack  To  Kubernetes  Technological change of , For the underlying operating system 、KVM  Virtualization and  Docker  Container and other related cloud native technologies have rich practical experience .

Rancher Monitoring  Introduce

stay  Rancher  On the management platform , We can work very smoothly in any support management  Kubernetes  Enable... On the cluster  Rancher Monitoring, Realize the monitoring alarm function .Rancher Monitoring  By default  Prometheus  To provide monitoring of relevant systems and application services , And pass  Grafana  The instrument panel visualization tool of... Is used for data statistics, monitoring and display .

reflection

By default ,Rancher  No access to  Grafana  There are too many restrictions on users , We can use  Anonymous  Users to see  Rancher  Any default dashboard display interface deployed . But more often , We need to pass  Grafana  To develop custom dashboards , here  Anonymous  User  ReadOnly  Permission cannot meet our needs , But logging in  admin  Users will be right again  Grafana  Cause certain potential safety hazards . At this time, such a user management system is needed to manage  Grafana  Users of , Restrict and control the access of users .

Although we can use  Grafana  The built-in user management list is used to manage the access rights of users , But this requires an additional set of user lists . that , Can we directly connect with the internal  LDAP System , So as to reduce the cost of maintaining users ?

The answer is yes . from  Rancher2.5  Version start , The monitoring architecture has been adjusted , Allow users to customize the configuration of more related components . This article will introduce you to  Rancher2.6  On , How to configure  Rancher Monitoring  To carry out  Grafana  docking  LDAP  authentication .

precondition

  • Rancher:2.6.4
  • k8s:1.20.11
  • monitoring:100.1.2+up19.0.3
  • OpenLDAP:1.5.0

Detailed operation

Grafana  docking  LDAP

edit  Monitoring Yaml  To configure  LDAP
  • visit  Rancher explorer UI, Get into  Apps & Marketplace, choice  Monitoring, Select... In the configuration options  Edit YAML:

null
rancher-1

  • Turn on  LDAP  Authentication configuration

stay
grafana.grafana.ini
The following is added under the level
auth.ldap
Configuration information on  LDAP:

grafana:
 grafana.ini:
 auth.ldap:
 allow_sign_up: true
 config_file: /etc/grafana/ldap.toml
 enabled: true

null
rancher-2

3. stay
grafana
Under the hierarchy , add to  LDAP  Certification parameters

grafana:
 ldap:
 config: |
 [[servers]]
 host = "test.zerchin.xyz" 
 port = 389
 use_ssl = false
 start_tls = false
 ssl_skip_verify = true
 bind_dn = "cn=admin,dc=rancherldap,dc=com"
 bind_password = 'Rancher123'
 search_filter = "(cn=%s)"
 search_base_dns = ["cn=group,ou=rancher,dc=rancherldap,dc=com"]
 [servers.attributes]
 name = "givenName"
 surname = "sn"
 username = "cn"
 member_of = "memberOf"
 email = "email"
 enabled: true

Parameter description

host
:LDAP  Server address (IP/Domain, Specify multiple address spaces to separate ).
port
:LDAP  port , The default is  389, If  use_ssl=true  It is  636.
use_ssl
: Whether to use encryption  TLS  Connect .
start_tls
:STARTTLS  It is an extension of plaintext communication protocol , It can make the plaintext communication connection directly become the encrypted connection ( Use  SSL/TLS  encryption ), Instead of using another special port for encrypted communication .
ssl_skip_verify
: Do you want to skip  SSL  Certificate validation .
bind_dn
:LDAP  Service account user name .
bind_password
: password ( If the password contains #, You need to use three parentheses , for example :"""#password;""").
search_filter
: User query filter field , for example
"(cn=%s)"
 、
"(sAMAccountName=%s)"
 、 
"(uid=%s)"
.
search_base_dns
: User search starting point .

  • Start monitoring after configuration .

Wait for the monitoring to start successfully , open  Grafana UI  Interface , The default account password is :admin/prom-operator

null
grafanar-1
LDAP  verification
After login , Left entry  Server Admin - LDAP, stay  LDAP Connection  You can see the connected host .

stay  Test user mapping  Next , Search for existing  LDAP  user , User information can be found .

null
grafana-2

And you can use  LDAP  User login access  Grafana UI  Interface .

null
grafana-3

Grafana  be based on  SSL  docking  LDAP

The above method is connected  LDAP  Of  389  port , We can use this port to  LDAP  Connect .

But this port is an unsecured and unencrypted connection , Easy to cause security problems , Expose user related information , General advice 389 The port is only used in intranet or test environment .

For the environment with high safety requirements , We can use  LDAP  the other one  SSL  Encrypt the port to connect LDAP  service :636  port .
Create certificate  secret
stay
cattle-monitoring-system
Under the namespace , A new one named
certs
Of secret, among
ca.pem
write in  CA  certificate ,
tls.crt
write in  LDAP  Server certificate ,
tls.key
write in  LDAP  Server certificate secret key .

null
secret-1

You can also import relevant certificates from the command line :

kubectl create secret generic certs -n cattle-monitoring-system --from-file=ca.pem --from-file=tls.crt --from-file=tls.key
LDAP SSL  Authentication configuration
edit  Monitoring yaml  To configure

  • stay
    grafana
    Under the hierarchy , add to
    extraSecretMounts
    mount  secret  certificate :

grafana:
 extraSecretMounts:
 - defaultMode: 440
 mountPath: /opt/certs
 name: certs
 readOnly: true
 secretName: certs

  • LDAP  Turn on  SSL  authentication :

grafana:
 ldap:
 config: |
 [[servers]] 
 host = "test.zerchin.xyz" 
 port = 636 
 use_ssl = true
 start_tls = false 
 ssl_skip_verify = false
 root_ca_cert = "/opt/certs/ca.pem"
 client_cert = "/opt/certs/tls.crt"
 client_key = "/opt/certs/tls.key"
 bind_dn = "cn=admin,dc=rancherldap,dc=com"
 bind_password = 'Rancher123' 
 search_filter = "(cn=%s)" 
 search_base_dns = ["cn=group,ou=rancher,dc=rancherldap,dc=com"] 
 [servers.attributes] 
 name = "givenName" 
 surname = "sn" 
 username = "cn" 
 member_of = "memberOf" 
 email = "email"
 enabled: true

  • port
    Set to  636 SSL  Encryption port
  • use_ssl
    Set to  true,
    ssl_skip_verify
    Set to  false, Turn on  SSL  authentication
  • root_ca_cert
    client_cert
    client_key
    Configure certificate path

  • Start monitoring after configuration .
LDAP SSL  verification
Sign in  Grafana, Left entry  Server Admin - LDAP, stay  LDAP Connection  You can see , It's connected  636 SSL  Encryption port .

And in Test user mapping Next , Search for existing LDAP user , User information can be found .

null
grafana-ssl-1

Try to use  LDAP  The user login , You can log in and view data normally .

null
grafana-ssl-2

summary

Through the above configuration , We can smoothly connect with the internal  LDAP  As  Grafana  User management system , Thus, the existing user management system can be directly used for unified user management and authority authentication . Of course, we can also connect with other user management systems , for example  okta、saml、github、basic  wait , We can refer to according to specific needs  Grafana  The official documents can be configured .

Grafana  Configure the reference :https://grafana.com/docs/grafana/next/setup-grafana/configure-security/configure-authentication/ldap/
原网站

版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/197/202207141208240692.html

边栏推荐

猜你喜欢

随机推荐