Protecting a Service in OpenShift using Kerberos

Posted on by

The same container image that can run HTTPD using Kerberos to authenticate in Podman can be used to do the same thing in OpenShift. Here’s the changes

When running in OpenShift, my app gets a Hostname of krbocp-git-krbocp.apps.demo.redhatfsi.com which I can create inside my IdM server, as well as a Service of type HTTP running on that host. I’ll need a keytab for this service.

[ayoung@idm ~]$ kinit ayoung
Password for ayoung@REDHATFSI.COM: 
$ export PRINCIPAL=HTTP/krbocp-git-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM
$ ipa service-show $PRINCIPAL
  Principal name: HTTP/krbocp-git-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM
  Principal alias: HTTP/krbocp-git-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM
  Keytab: True
  Managed by: krbocp-git-krbocp.apps.demo.redhatfsi.com
$ ipa-getkeytab -k keytabs/$PRINCIPAL.keytab -p $PRINCIPAL
Keytab successfully retrieved and stored in: keytabs/HTTP/krbocp-git-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM.keytab

I have to bring it over to my workstation. This is obviously a sub-optimal step that I would not mind eliding in the future, but for now, copy it local to a name that is friendly for the OpenShift API so we can upload that file as a secret to OpenShift

$ mkdir ~/keytabs/HTTP/krbocp-git-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM.keytab 
$ scp idm.redhatfsi.com:keytabs/HTTP/krbocp-git-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM.keytab ~/keytabs/HTTP/krbocp-git-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM/apache.keytab 
$ oc create secret generic apache-keytab --from-file ~/keytabs/HTTP/krbocp-git-krbocp.apps.demo.redhatfsi.com@REDHATFSI.COM/
secret/apache-keytab created
$ oc get secret apache-keytab -o yaml
apiVersion: v1
data:
  apache.keytab: ... elided 
kind: Secret
metadata:
  creationTimestamp: "2020-02-03T18:03:43Z"
  name: apache-keytab
  namespace: krbocp
  resourceVersion: "2507619"
  selfLink: /api/v1/namespaces/krbocp/secrets/apache-keytab
  uid: 9c3ffc0f-544a-4912-a591-549fe392fae0
type: Opaque

To make this secret usable in the container, I find the deployment named krbocp-git and edit it. Here is what the spec section of the yaml looks like

    spec:
      containers:
      - image: image-registry.openshift-image-registry.svc:5000/krbocp/krbocp-git@sha256:ec778f7df6ed4768fa54a84f87dc6e2b2be619395ef1bf7a2bd9efb73ca7c865
        imagePullPolicy: Always
        name: krbocp-git
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /etc/httpd/secrets
          name: secret-volume
          readOnly: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
      - name: secret-volume
        secret:
          defaultMode: 420
          items:
          - key: apache.keytab
            mode: 511
            path: apache.keytab
          secretName: apache-keytab

Et Voila:

$ curl -s  --negotiate -u : http://krbocp-git-krbocp.apps.demo.redhatfsi.com/envvars | grep REMOTE_USER
<dt>REMOTE_USER</dt><dd> 'custom/sampleapp.apps.demo.redhatfsi.com@REDHATFSI.COM'</dd>

I was getting confused why this was not working for the image based deployment I did in the same project until I realize it has a different hostname. http://krbocp-container-krbocp.apps.demo.redhatfsi.com/ will not work with the same keytab.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.