Skip to main content

OPENSHIFT/K8S: Enable HTPasswd Authentication for your Openshift Cluster

 Openshift provides different kind of authentication mechanisms for authentication. Openshift comes with a default kubeadmin user as a factory default. In addition to default admin, in real world you want different users with different permission levels to separate roles. 


You can use Ldap, Github or Github Enterprise, Keystone Server, OpenID Connect or HTPasswd authentication. All these methods are named as Identity providers.All methods are external solutions or requires additional servers/services to deploy to authenticate except HTPasswd authentication.

HTPasswd authentication  consist of simple and locally managed password files. Simply, you define usernames and equivalent password for them. htpasswd file contains a list of users and their secrets. HTPasswd files keeps users password encrypted by several encryption algorithms like, MD5(default), SHA1, SHA256 and Bcrypt (Most secure for htpasswd.)

Screenshot 1- A simple and sample htpasswd file

A simple htpasswd file is similar to above screenshot. You need to manually edit file with the htpasswd command. Manual intervention is dangerous and you possibly break authentication in case of any editing. 

You  use htpasswd authentication for test,poc installations or in small teams. In case of having large teams or enterprises, htpasswd is not suitable, due to nature of the difficulties of htpasswd auth. But, in any case, you can create and keep several user in htpasswd file and integrate it in Openshift can be advantageous before you lost your primary authentication mechanism(s). It can save the day!

 

At first login to your Openshift as a privilaged user, like kubeadmin. After login I'm going to create two user account with htpasswd command : 


[student@workstation ~]$ htpasswd -c -B -b htpasswd \
>    admin My$ecretP@$$
Adding password for user admin

If I expand the above command set, 

-c parameter creates the htpasswd file. I defined the name in the end of the first line as htpasswd.You need to use it in first time. If you just want to edit and manipulate file, don't use -c parameter.

-B : Enables bCrypt encrytion. It's the most secure algorithm provided with htpasswd.But it's nor mandatory. If you don't use the -B parameter, your htpasswd file <password content> is secured by md5 and its a weaker algorithm.

-b : Do not prompt for password switch. If you don't use this switch, after you run command you should define a password. Id you use it, you must define a secret(password) after the username.

admin: Name of your user that you creating.

My$ecretP@$$ : As you guess, it's password of the admin.

I'm gonna create an additional user named developer to my existing htpasswd file:

[student@workstation ~]$ htpasswd -b htpasswd \
>    developer D3v3!0p3r
Adding password for user developer

 

As you see, I hadn't use -B and -c parameters, because I defined filename and encryption while creating my file. So I don't need them.


After all, we have a htpasswd file and two users with passwords.To use them in Openshift, you need to import it's configuration to openshift. Also you need to enable the HTPasswd authentication mechanism. Let's dive in and look for how to do this.

At first you must create a secret to define the htpasswd file. Just run :

[student@workstation ~]$ oc create secret generic localusers \
>    --from-file htpasswd=/home/student/htpasswd \
>    -n openshift-config
secret/localusers created

By running this command, you will create a secret named localuser in the openshift-config namespace. By running the oc get secret -n openshift-config

command, you will see your secret.



Then I'm gonna give my admin user to cluster-admin role to manage my Openshift cluster : 

[student@workstation ~]$ oc adm policy add-cluster-role-to-user \
>    cluster-admin admin
clusterrole.rbac.authorization.k8s.io/cluster-admin added: "admin"

Until this point, we created and imported, even gave permission to one of them. But still HTPasswd authentication is not enabled.

First, export your current oauth configuration to a file : 

oc get oauth cluster \
>    -o yaml > ~/oauth.yaml
 
Then, edit the section of the  oauth.yaml file as shown below :

spec:
  identityProviders:
  - htpasswd:
      fileData:
        name: localusers
    mappingMethod: claim
    name: myusers
    type: HTPasswd

Be careful the bold lines. localusers name comes from our secret that created previously. HTPasswd is the method that we currently configure.  You can free to change myusers name as your desire but mappingMethod must be stay as claim.


The last configuration part of the task is activating oauth configuration with our configured oauth.yaml file. Simply run 
[student@workstation ~]$ oc replace -f ~/oauth.yaml
oauth.config.openshift.io/cluster replaced

After this point, HTPasswd authentication is enabled. Activating configuration might take 5-15 minutes, because of restarting authentication pods and new configurations take in place.

You can basically test your configuration by just logging in : 

[student@workstation ~]$ oc login -u admin -p My$ecretP@$$
Login successful.

Plus, you may check identities in the Openshift by running "oc get identity"




Conclusion
HTPasswd is designed for basic authentication requirements, especially web based services, but you can safely use in test, poc or small environments. We  just enabled and configured a basic htpasswd authentication mechanism. Keep in mind that be sure to your htpasswd file and regularly backup it.






Labels:

Comments

Post a Comment

Popular posts from this blog

Openshift/K8S : Get routes hostnames and learn their reachability

  Undoubtedly, route have a key role to accessing your pods and their applications inside.  You may want to learn your whole Kubernetes or Openshift routes and their hostnames. Also you want to learn reachability of them. Here comes a shortcut! First step is creating a variable : hosts=$(oc get route -A \ -o jsonpath='{.items[*].spec.host}') You can ensure that just getting the hostnames,  rather than any other info by running : echo $hosts After this point we need a series of shell command to get names and HTTP status of our routes. For this task, write out the codes shown below :  for host in $hosts ; do \ curl https://$host -k -w "%{url_effective} %{http_code}\n" -o /dev/null -s ; \ done https://oauth-openshift.apps.ocp4.ozgurkkisa.com/ 403 https://console-openshift-console.apps.ocp4.ozgurkkisa.com/ 200 https://downloads-openshift-console.apps.ocp4.ozgurkkisa.com/ 200 https://alertmanager-main-openshift-monitoring.apps.ocp4.ozgurkkisa.com/ 403 https://grafa...
Post a Comment
Read more

K8S/OPENSHIFT: POD CRASHING,SECURITY CONTEXT CONTRAINTS PROBLEM?

  Your new daily given task is creating a new app in a new namespace. You investigated and found your image. Then you started to create your app. After app created you checked and realized that the your new apps pod is not starting! Here look at this example. I Used gitlab here as an instance. [ozgurk@myworkstation ~]$ oc new-app --name gitlab \ > --docker-image quay.io/redhattraining/gitlab-ce:8.4.3-ce.0 --> Creating resources ... imagestream.image.openshift.io "gitlab" created deployment.apps "gitlab" created service "gitlab" created --> Success  Until here, everything looking normal. Check your pod status :  [ozgurk@myworkstation ~]$ oc get pods NAME READY STATUS RESTARTS AGE gitlab-6d61db3479-yyjl 0/1 Error 1 43s As seen above, our pod is in a trouble. It's better to start investigation from pod logs. [ozgurk@myworkstation ~]$ oc logs pod/ gitlab-6d61db3479-yyjl ===========...
Post a Comment
Read more