ONAP4K8s/Emco IAM (Integrity and Access Management)
- Former user (Deleted)
- 1 Authentication with Emco
- 2 Authorization with Emco
- 3 Steps for setting up ONAP4K8s with Istio + Authservice
- 3.1 Keycloak
- 3.1.1.1 Keycloak Installation
- 3.1.1.2 Keycloak Yaml
- 3.1.2 Create a realm, add users and roles to Keycloak
- 3.2 Emco Setup with Istio
- 3.2.1 Install Emco with side car injection
- 3.2.1.1 EMCO Installation
- 3.2.2 Gateway
- 3.2.2.1 Gateway
- 3.2.3 Virtual service
- 3.2.3.1 Virtual Service
- 3.2.4 Istio Policy
- 3.2.4.1 Authentication Policy
- 3.2.1 Install Emco with side car injection
- 3.3 Authservice Setup in Istio Ingress-gateway
- 3.3.1 Authservice Configmap
- 3.3.1.1 Authservice configmap
- 3.3.2 Install Authservice with the Isito-Ingress gateway
- 3.3.2.1 Authservice Container
- 3.3.3 EnvoyFilter Resource for authservice
- 3.3.3.1 Envoy Filter
- 3.3.1 Authservice Configmap
- 3.4 Setup with multiple OAuth2 Servers.
- 3.5 Authorization Policies with Istio
- 3.5.1 Authorization Policies
- 3.1 Keycloak
Authentication with Emco
EMCO uses Istio and other open source solutions to provide Multi-tenancy solution leveraging Istio Authorization and Authentication frameworks. This is achieved without adding any logic in EMCO microservices. Authentication for the EMCO users are done at the Isito Gateway, where all the traffic enters the cluster. Istio along with autherservice (istio ecosystem project) enables request-level authentication with JSON Web Token (JWT) validation. This can be achieved using a custom authentication provider or any OpenID Connect providers like KeyCloak, Auth0 etc.
Authservice is an entity that works along side with Envoy proxy. It is used to work with external IAM systems (OAUTH2). Many Enterprises have their own OAUTH2 server for authenticating users and provide roles. ONAP4K8s along with Istio-ingress and Authservice use single or multiple OAUTH2 servers, one belonging to each project (Enterprise).
Authentication Flow with OIDC, Istio Ingress Gateway and Authservice
Authorization with Emco
Emco uses Istio's AuthorizationPolicy resource to manage authorizations. See at the end of this post for example of Authorization policies.
Steps for setting up ONAP4K8s with Istio + Authservice
Keycloak
Keycloak is an open source software product to allow single sign-on with Identity Management and Access Management. Keycloak is being used here as an example of IAM service to be used with EMCO.
In a kubernetes cluster where Keycloak is going to be installed follow these steps to create keyclock deployment:
Keyloak deployment file for Kubernetes is available: https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml
Keycloak Installation
kubectl create ns keycloak
kubectl create -n keycloak secret tls ca-keycloak-certs --key keycloak.key --cert keycloak.crt
kubectl apply -f keycloak.yaml -n keycloakKeycloak Yaml
apiVersion: v1
kind: Service
metadata:
name: keycloak
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
selector:
app: keycloak
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:9.0.2
volumeMounts:
- name: keycloak-certs
mountPath: /etc/x509/https
readOnly: false
env:
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
value: "admin"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
ports:
- name: http
containerPort: 8080
- name: https
containerPort: 8443
readinessProbe:
httpGet:
path: /auth/realms/master
port: 8080
volumes:
- name: keycloak-certs
secret:
secretName: keycloak-certs
defaultMode: 420
optional: true
Create a realm, add users and roles to Keycloak
Create a new Realm - ex: enterprise1
Add Users
Create a new Client under realm name - ex: emco
Under Setting for client
Change assess type for client to confidential
Under Authentication Flow Overrides - Change Direct grant flow to direct grant
Update Valid Redirect URIs.
In Roles tab:
Add roles (ex. Admin and User)
Under Users assign roles from emco client to users ( Admin and User). Verify under Emco Client roles for user are in the role
Add Mappers
Under Emco Client under mapper tab create a mapper
Mapper type - User Client role
Client-ID: emco
Token claim name: role
Claim JSON Type: string
For complete documentation of Keycloak refer to these links:
https://www.keycloak.org/getting-started/getting-started-kube
https://developers.redhat.com/blog/2020/01/29/api-login-and-jwt-token-generation-using-keycloak/
Emco Setup with Istio
In a kubernetes cluster where EMCO is going to be run install Istio Demo Profile:
https://istio.io/latest/docs/setup/install/standalone-operator/
Istio version to use is 1.5.3
Install Emco with side car injection
EMCO Installation
stioctl kube-inject -f ovn4k8sdb.yaml | kubectl apply -f -
istioctl kube-inject -f ovn4k8s.yaml | kubectl apply -f -
kubectl create -n istio-system secret tls emco-credential --key=v2.key --cert=v2.crt
Gateway
Gateway
Virtual service
Virtual Service
Make sure the EMCO service is accessible through istio ingress gateway at this point. [https://<Istio Ingress service IP Address:port>/v2/projects]
Istio Policy
Authentication Policy
Now when you try to assess EMCO you'll get 403 error. [https://<Istio Ingress service IP Address:port>/v2/projects]
Authservice Setup in Istio Ingress-gateway
Authservice Configmap
The following example shows how to setup authservice with keycloak.
Authservice configmap
Install Authservice with the Isito-Ingress gateway
In this setup Authservice is getting setup at the Isito-Ingress gateway level. Refer this link for details:
Currently, there is not yet a native way to install Authservice into the Istio Ingress-gateway. We are manually modifying the Deployment of istio-ingressgateway to add the Authservice container. Add the contianer below. Note: Change the container section in ingress-gateway deployment to make it possible to add multiple containers.
Authservice Container
EnvoyFilter Resource for authservice
Envoy Filter
Try accessing EMCO URL agian [https://<Istio Ingress service IP Address:port>/v2/projects]. This will take you to the Keycloak login page and from there user can get authenticated before allowed to access EMCO resources.
Setup with multiple OAuth2 Servers.
The following changes are required if different OAuth2 servers are needed for different projects. All other configurations remain the same.
Virtual service to support multiple servers
Virtual Service
Authentication Policy with multiple servers
Authentication Policy
Configmap for multiple servers.
The following example shows how to setup authservice with multiple OAUTH2 keycloak servers.
Authservice configmap
Authorization Policies with Istio
As specified in Keycloak section Role Mappers are created using Keycloak. These can be used apply authorizations for users. Some examples the can used: