v2.1
v2.0
v1.0
  1. Release Notes
    1. Release Notes - 2.1.1Latest
    1. Release Notes - 2.1.0
    1. Release Notes - 2.0.2
    1. Release Notes - 2.0.1
    1. Release Notes - 2.0.0
  1. Introduction
    1. Introduction
    1. Features
    1. Architecture
    1. Advantages
    1. Glossary
  1. Installation
    1. Introduction
      1. Intro
      2. Port Requirements
      3. Kubernetes Cluster Configuration
    1. Install on Linux
      1. All-in-One Installation
      2. Multi-Node Installation
      3. High Availability Configuration
      4. Air Gapped Installation
      5. StorageClass Configuration
      6. Enable All Components
    1. Install on Kubernetes
      1. Prerequisites
      2. Install on K8s
      3. Air Gapped Installation
      4. Install on GKE
    1. Pluggable Components
      1. Pluggable Components
      2. Enable Application Store
      3. Enable DevOps System
      4. Enable Logging System
      5. Enable Service Mesh
      6. Enable Alerting and Notification
      7. Enable Metrics-server for HPA
      8. Verify Components Installation
    1. Upgrade
      1. Overview
      2. All-in-One
      3. Multi-node
    1. Third-Party Tools
      1. Configure Harbor
      2. Access Built-in SonarQube and Jenkins
      3. Enable built-in Grafana Installation
      4. Load Balancer plugin in Bare Metal - Porter
    1. Authentication Integration
      1. Configure LDAP/AD
    1. Cluster Operations
      1. Add or Cordon Nodes
      2. High Risk Operations
      3. Uninstall KubeSphere
  1. Quick Start
    1. 1. Getting Started with Multi-tenancy
    1. 2. Expose your App Using Ingress
    1. 3. Compose and Deploy Wordpress to K8s
    1. 4. Deploy Grafana Using App Template
    1. 5. Job to Compute π to 2000 Places
    1. 6. Create Horizontal Pod Autoscaler
    1. 7. S2I: Publish your App without Dockerfile
    1. 8. B2I: Publish Artifacts to Kubernete
    1. 9. CI/CD based on Spring Boot Project
    1. 10. Jenkinsfile-free Pipeline with Graphical Editing Panel
    1. 11. Canary Release of Bookinfo App
    1. 12. Canary Release based on Ingress-Nginx
    1. 13. Application Store
  1. DevOps
    1. Pipeline
    1. Create SonarQube Token
    1. Credentials
    1. Set CI Node for Dependency Cache
    1. Set Email Server for KubeSphere Pipeline
  1. User Guide
    1. Configration Center
      1. Secrets
      2. ConfigMap
      3. Configure Image Registry
  1. Logging
    1. Log Query
  1. Developer Guide
    1. Introduction to S2I
    1. Custom S2I Template
  1. API Documentation
    1. API Documentation
    1. How to Access KubeSphere API
  1. Troubleshooting
    1. Troubleshooting Guide for Installation
  1. FAQ
    1. Telemetry
KubeSphere®️ 2020 All Rights Reserved.

Documentation

简体中文English

Configure LDAP/AD

Edit

If your enterprise uses LDAP/AD for user authentication, you can integrate it with KubeSphere built-in OpenLDAP to authenticate users when logging in the KubeSphere console.

In this tutorial, we will demonstrate how to configure AD accounts. It also works for LDAP.

Note: We will use a script to configure this process. KubeSphere has the plan to provide UI for configuring LDAP/AD in v3.0.

Inspect Active Directory

Connect to windows server 2016, enter Active Director Administrator, obtain managerDN (It could be a read-only account)

Create and Edit Script

Connect to SSH of KubeSphere server, create a script and name it inject-ks-account.sh, then replace the values of key host、managerDN、managerPWD、userSearchBase to the actual AD values.

#!/bin/bash
set -e

host="139.198.111.111:30222"    # Replace its value with your AD server IP and port
managerDN="cn=Administrator,cn=Users,dc=kubesphere,dc=com"  # Replace its value with your AD Administrator account. It could be read-only.
managerPWD="123456789"          # Replace with the Administrator's password
userSearchBase="cn=Users,dc=kubesphere,dc=com"   # Depend on your AD configuration
sidecar="kubespheredev/ad-sidecar:v0.0.1"

generate_config() {
cat << EOF
apiVersion: v1
data:
  sync.yaml: |
    sync:
      interval: "300s"
    src:
      host: "${host}"
      managerDN: "${managerDN}"
      managerPWD: "${managerPWD}"
      userSearchBase: "${userSearchBase}"
      usernameAttribute: "sAMAccountName"
      descriptionAttribute: "description"
      mailAttribute: "mail"
    dst:
      host: "openldap.kubesphere-system.svc:389"
      managerDN: "cn=admin,dc=kubesphere,dc=io"
      managerPWD: "admin"
      userSearchBase: "ou=Users,dc=kubesphere,dc=io"
kind: ConfigMap
metadata:
  name: ad-sync-config
  namespace: kubesphere-system
EOF
}

# apply sync config
generate_config | kubectl apply -f -

# inject sidecar
kubectl -n kubesphere-system get deploy ks-account -o json | jq '.spec.template.spec.volumes += [{"configMap":{"name":"ad-sync-config"},"name":"ad-sync-config"}]' | jq '.spec.template.spec.containers += [{"command":["ad-sidecar","--logtostderr=true","--v=2"],"image":"'${sidecar}'","imagePullPolicy":"IfNotPresent","name":"ad-sidecar","ports":[{"containerPort":19090,"protocol":"TCP"}],"volumeMounts":[{"mountPath":"/etc/kubesphere/sync.yaml","name":"ad-sync-config","subPath":"sync.yaml"}]}]' | kubectl apply -f -

# use proxy port
kubectl -n kubesphere-system get svc ks-account -o json | jq '.spec.ports[0].targetPort=19090' | kubectl apply -f -

Run and Verify

After you created the script, you can run inject-ks-account.sh to configure AD accounts.

Please note that this script will restart Pod ks-account. Your account might be not available for a few minutes. You can log in KubeSphere to check the accounts that read from AD server when the Pod ks-account is running.

At this point, you need to use cluster admin account to assign roles to the AD users. After the roles have been assigned, these AD accounts are ready to use in KubeSphere.

KubeSphere Docs