diff --git a/.vuepress/config-sidebar.js b/.vuepress/config-sidebar.js
index a8ff769..025c258 100644
--- a/.vuepress/config-sidebar.js
+++ b/.vuepress/config-sidebar.js
@@ -429,12 +429,14 @@ let sidebar = {
'k8s-advanced/sec/authenticate/',
'k8s-advanced/sec/sa-admin',
'k8s-advanced/sec/authenticate/install',
+ 'k8s-advanced/sec/authenticate/ldap',
]
}, {
title: '用户授权',
collapsable: true,
children: [
'k8s-advanced/sec/kuboard',
+ 'k8s-advanced/sec/rbac/user-namespace.html',
'k8s-advanced/sec/rbac/list-namespace.html',
'k8s-advanced/sec/rbac/logs.html',
'k8s-advanced/sec/rbac/api',
diff --git a/.vuepress/public/practice/ldap/kuboard_ldap_example.yaml b/.vuepress/public/practice/ldap/kuboard_ldap_example.yaml
new file mode 100644
index 0000000..0b880d1
--- /dev/null
+++ b/.vuepress/public/practice/ldap/kuboard_ldap_example.yaml
@@ -0,0 +1,213 @@
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: ldap-example
+ name: ldap
+ annotations:
+ k8s.kuboard.cn/workload: ldap
+ k8s.kuboard.cn/ingress: 'false'
+ k8s.kuboard.cn/service: none
+ labels:
+ app: ldap
+spec:
+ selector:
+ matchLabels:
+ app: ldap
+ revisionHistoryLimit: 10
+ template:
+ metadata:
+ labels:
+ app: ldap
+ spec:
+ securityContext:
+ seLinuxOptions: {}
+ imagePullSecrets: []
+ restartPolicy: Always
+ initContainers: []
+ containers:
+ - image: 'osixia/openldap:1.4.0'
+ imagePullPolicy: IfNotPresent
+ name: ldap
+ volumeMounts:
+ - name: openldap-data
+ mountPath: /var/lib/ldap
+ subPath: data
+ - name: openldap-data
+ mountPath: /etc/ldap/slapd.d
+ subPath: config
+ - name: openldap-data
+ mountPath: /container/service/slapd/assets/certs
+ subPath: certs
+ - name: secret-volume
+ mountPath: /container/environment/01-custom
+ - name: container-run
+ mountPath: /container/run
+ args:
+ - '--copy-service'
+ resources:
+ limits:
+ requests:
+ env: []
+ readinessProbe:
+ tcpSocket:
+ port: openldap
+ initialDelaySeconds: 20
+ timeoutSeconds: 1
+ periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 10
+ livenessProbe:
+ tcpSocket:
+ port: openldap
+ initialDelaySeconds: 20
+ timeoutSeconds: 1
+ periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 10
+ lifecycle: {}
+ ports:
+ - name: openldap
+ containerPort: 389
+ protocol: TCP
+ - name: ssl-ldap-port
+ containerPort: 636
+ protocol: TCP
+ volumes:
+ - name: openldap-data
+ emptyDir: {}
+ - name: secret-volume
+ secret:
+ secretName: ldap-secret
+ defaultMode: 420
+ items: []
+ - name: container-run
+ emptyDir: {}
+ dnsPolicy: ClusterFirst
+ dnsConfig: {}
+ terminationGracePeriodSeconds: 30
+ progressDeadlineSeconds: 600
+ strategy:
+ type: RollingUpdate
+ rollingUpdate:
+ maxUnavailable: 25%
+ maxSurge: 25%
+ replicas: 1
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: ldap-example
+ name: phpldapadmin
+ annotations:
+ k8s.kuboard.cn/workload: phpldapadmin
+ k8s.kuboard.cn/ingress: 'false'
+ k8s.kuboard.cn/service: ClusterIP
+ labels:
+ io.kompose.service: phpldapadmin
+spec:
+ selector:
+ matchLabels:
+ io.kompose.service: phpldapadmin
+ revisionHistoryLimit: 10
+ template:
+ metadata:
+ labels:
+ io.kompose.service: phpldapadmin
+ spec:
+ securityContext:
+ seLinuxOptions: {}
+ imagePullSecrets: []
+ restartPolicy: Always
+ initContainers: []
+ containers:
+ - image: 'osixia/phpldapadmin:0.9.0'
+ imagePullPolicy: Always
+ name: phpldapadmin
+ volumeMounts: []
+ resources:
+ limits:
+ requests:
+ env:
+ - name: PHPLDAPADMIN_HTTPS
+ value: 'false'
+ - name: PHPLDAPADMIN_LDAP_HOSTS
+ value: ldap-service
+ lifecycle: {}
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ volumes: []
+ dnsPolicy: ClusterFirst
+ dnsConfig: {}
+ terminationGracePeriodSeconds: 30
+ progressDeadlineSeconds: 600
+ strategy:
+ type: RollingUpdate
+ rollingUpdate:
+ maxUnavailable: 25%
+ maxSurge: 25%
+ replicas: 1
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations: {}
+ labels:
+ app: ldap
+ name: ldap-service
+ namespace: ldap-example
+spec:
+ ports:
+ - name: openldap
+ port: 389
+ protocol: TCP
+ targetPort: openldap
+ - name: ssl-ldap-port
+ port: 636
+ protocol: TCP
+ targetPort: ssl-ldap-port
+ selector:
+ app: ldap
+ sessionAffinity: None
+ type: ClusterIP
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: ldap-example
+ name: phpldapadmin
+ annotations:
+ k8s.kuboard.cn/workload: phpldapadmin
+ labels:
+ io.kompose.service: phpldapadmin
+spec:
+ selector:
+ io.kompose.service: phpldapadmin
+ type: ClusterIP
+ ports:
+ - port: 8080
+ targetPort: 80
+ protocol: TCP
+ name: '8080'
+ nodePort: 0
+ sessionAffinity: None
+
+---
+metadata:
+ name: ldap-secret
+ namespace: ldap-example
+ annotations: {}
+data:
+ env.startup.yaml: >-
+ IyBUaGlzIGlzIHRoZSBkZWZhdWx0IGltYWdlIHN0YXJ0dXAgY29uZmlndXJhdGlvbiBmaWxlCiMgdGhpcyBmaWxlIGRlZmluZSBlbnZpcm9ubWVudCB2YXJpYWJsZXMgdXNlZCBkdXJpbmcgdGhlIGNvbnRhaW5lciAqKmZpcnN0IHN0YXJ0KiogaW4gKipzdGFydHVwIGZpbGVzKiouCgojIFRoaXMgZmlsZSBpcyBkZWxldGVkIHJpZ2h0IGFmdGVyIHN0YXJ0dXAgZmlsZXMgYXJlIHByb2Nlc3NlZCBmb3IgdGhlIGZpcnN0IHRpbWUsCiMgYWZ0ZXIgdGhhdCBhbGwgdGhlc2UgdmFsdWVzIHdpbGwgbm90IGJlIGF2YWlsYWJsZSBpbiB0aGUgY29udGFpbmVyIGVudmlyb25tZW50LgojIFRoaXMgaGVscHMgdG8ga2VlcCB5b3VyIGNvbnRhaW5lciBjb25maWd1cmF0aW9uIHNlY3JldC4KIyBtb3JlIGluZm9ybWF0aW9uIDogaHR0cHM6Ly9naXRodWIuY29tL29zaXhpYS9kb2NrZXItbGlnaHQtYmFzZWltYWdlCgojIFJlcXVpcmVkIGFuZCB1c2VkIGZvciBuZXcgbGRhcCBzZXJ2ZXIgb25seQpMREFQX09SR0FOSVNBVElPTjogRXhhbXBsZSBJbmMuCkxEQVBfRE9NQUlOOiBleGFtcGxlLm9yZwpMREFQX0JBU0VfRE46ICNpZiBlbXB0eSBhdXRvbWF0aWNhbGx5IHNldCBmcm9tIExEQVBfRE9NQUlOCgpMREFQX0FETUlOX1BBU1NXT1JEOiBhZG1pbgpMREFQX0NPTkZJR19QQVNTV09SRDogY29uZmlnCgpMREFQX1JFQURPTkxZX1VTRVI6IGZhbHNlCkxEQVBfUkVBRE9OTFlfVVNFUl9VU0VSTkFNRTogcmVhZG9ubHkKTERBUF9SRUFET05MWV9VU0VSX1BBU1NXT1JEOiByZWFkb25seQoKIyBCYWNrZW5kCkxEQVBfQkFDS0VORDogaGRiCgojIFRscwpMREFQX1RMUzogdHJ1ZQpMREFQX1RMU19DUlRfRklMRU5BTUU6IGxkYXAuY3J0CkxEQVBfVExTX0tFWV9GSUxFTkFNRTogbGRhcC5rZXkKTERBUF9UTFNfQ0FfQ1JUX0ZJTEVOQU1FOiBjYS5jcnQKCkxEQVBfVExTX0VORk9SQ0U6IGZhbHNlCkxEQVBfVExTX0NJUEhFUl9TVUlURTogU0VDVVJFMjU2Oi1WRVJTLVNTTDMuMApMREFQX1RMU19QUk9UT0NPTF9NSU46IDMuMQpMREFQX1RMU19WRVJJRllfQ0xJRU5UOiBkZW1hbmQKCiMgUmVwbGljYXRpb24KTERBUF9SRVBMSUNBVElPTjogZmFsc2UKIyB2YXJpYWJsZXMgJExEQVBfQkFTRV9ETiwgJExEQVBfQURNSU5fUEFTU1dPUkQsICRMREFQX0NPTkZJR19QQVNTV09SRAojIGFyZSBhdXRvbWF0aWNhbHkgcmVwbGFjZWQgYXQgcnVuIHRpbWUKCiMgaWYgeW91IHdhbnQgdG8gYWRkIHJlcGxpY2F0aW9uIHRvIGFuIGV4aXN0aW5nIGxkYXAKIyBhZGFwdCBMREFQX1JFUExJQ0FUSU9OX0NPTkZJR19TWU5DUFJPViBhbmQgTERBUF9SRVBMSUNBVElPTl9EQl9TWU5DUFJPViB0byB5b3VyIGNvbmZpZ3VyYXRpb24KIyBhdm9pZCB1c2luZyAkTERBUF9CQVNFX0ROLCAkTERBUF9BRE1JTl9QQVNTV09SRCBhbmQgJExEQVBfQ09ORklHX1BBU1NXT1JEIHZhcmlhYmxlcwpMREFQX1JFUExJQ0FUSU9OX0NPTkZJR19TWU5DUFJPVjogYmluZGRuPSJjbj1hZG1pbixjbj1jb25maWciIGJpbmRtZXRob2Q9c2ltcGxlIGNyZWRlbnRpYWxzPSRMREFQX0NPTkZJR19QQVNTV09SRCBzZWFyY2hiYXNlPSJjbj1jb25maWciIHR5cGU9cmVmcmVzaEFuZFBlcnNpc3QgcmV0cnk9IjYwICsiIHRpbWVvdXQ9MSBzdGFydHRscz1jcml0aWNhbApMREFQX1JFUExJQ0FUSU9OX0RCX1NZTkNQUk9WOiBiaW5kZG49ImNuPWFkbWluLCRMREFQX0JBU0VfRE4iIGJpbmRtZXRob2Q9c2ltcGxlIGNyZWRlbnRpYWxzPSRMREFQX0FETUlOX1BBU1NXT1JEIHNlYXJjaGJhc2U9IiRMREFQX0JBU0VfRE4iIHR5cGU9cmVmcmVzaEFuZFBlcnNpc3QgaW50ZXJ2YWw9MDA6MDA6MDA6MTAgcmV0cnk9IjYwICsiIHRpbWVvdXQ9MSBzdGFydHRscz1jcml0aWNhbApMREFQX1JFUExJQ0FUSU9OX0hPU1RTOgogIC0gbGRhcDovL2xkYXAuZXhhbXBsZS5vcmcgIyBUaGUgb3JkZXIgbXVzdCBiZSB0aGUgc2FtZSBvbiBhbGwgbGRhcCBzZXJ2ZXJzCiAgLSBsZGFwOi8vbGRhcDIuZXhhbXBsZS5vcmcKCgojIFJlbW92ZSBjb25maWcgYWZ0ZXIgc2V0dXAKTERBUF9SRU1PVkVfQ09ORklHX0FGVEVSX1NFVFVQOiB0cnVlCgojIGNmc3NsIGVudmlyb25tZW50IHZhcmlhYmxlcyBwcmVmaXgKTERBUF9DRlNTTF9QUkVGSVg6IGxkYXAgIyBjZnNzbC1oZWxwZXIgZmlyc3Qgc2VhcmNoIGNvbmZpZyBmcm9tIExEQVBfQ0ZTU0xfKiB2YXJpYWJsZXMsIGJlZm9yZSBDRlNTTF8qIHZhcmlhYmxlcy4K
+ env.yaml: >-
+ IyBUaGlzIGlzIHRoZSBkZWZhdWx0IGltYWdlIGNvbmZpZ3VyYXRpb24gZmlsZQojIFRoZXNlIHZhbHVlcyB3aWxsIHBlcnNpc3RzIGluIGNvbnRhaW5lciBlbnZpcm9ubWVudC4KCiPCoEFsbCBlbnZpcm9ubWVudCB2YXJpYWJsZXMgdXNlZCBhZnRlciB0aGUgY29udGFpbmVyIGZpcnN0IHN0YXJ0CiMgbXVzdCBiZSBkZWZpbmVkIGhlcmUuCiMgbW9yZSBpbmZvcm1hdGlvbiA6IGh0dHBzOi8vZ2l0aHViLmNvbS9vc2l4aWEvZG9ja2VyLWxpZ2h0LWJhc2VpbWFnZQoKIyBHZW5lcmFsIGNvbnRhaW5lciBjb25maWd1cmF0aW9uCiMgc2VlIHRhYmxlIDUuMSBpbiBodHRwOi8vd3d3Lm9wZW5sZGFwLm9yZy9kb2MvYWRtaW4yNC9zbGFwZGNvbmYyLmh0bWwgZm9yIHRoZSBhdmFpbGFibGUgbG9nIGxldmVscy4KTERBUF9MT0dfTEVWRUw6IDI1Ngo=
+type: Opaque
+kind: Secret
+apiVersion: v1
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720221931304.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720221931304.png
new file mode 100644
index 0000000..768af70
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720221931304.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720224823436.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720224823436.png
new file mode 100644
index 0000000..55f0a64
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720224823436.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720224920889.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720224920889.png
new file mode 100644
index 0000000..20765fd
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720224920889.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720225039012.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720225039012.png
new file mode 100644
index 0000000..3dd5d61
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720225039012.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720225243855.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720225243855.png
new file mode 100644
index 0000000..55c8159
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720225243855.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720231936844.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720231936844.png
new file mode 100644
index 0000000..0031400
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720231936844.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720232351634.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720232351634.png
new file mode 100644
index 0000000..9fa5a2e
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200720232351634.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726165616950.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726165616950.png
new file mode 100644
index 0000000..36fbcef
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726165616950.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726165741339.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726165741339.png
new file mode 100644
index 0000000..bbed2dc
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726165741339.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726170049198.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726170049198.png
new file mode 100644
index 0000000..e2c6c2a
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726170049198.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726170545157.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726170545157.png
new file mode 100644
index 0000000..dc2e158
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726170545157.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726170739621.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726170739621.png
new file mode 100644
index 0000000..8b627e7
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726170739621.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726172733862.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726172733862.png
new file mode 100644
index 0000000..ce03b24
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726172733862.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726175739979.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726175739979.png
new file mode 100644
index 0000000..00910b6
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726175739979.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726175840036.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726175840036.png
new file mode 100644
index 0000000..29d77ff
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726175840036.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726202228504.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726202228504.png
new file mode 100644
index 0000000..ab761fc
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726202228504.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726202709144.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726202709144.png
new file mode 100644
index 0000000..71a84dd
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726202709144.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726204044666.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726204044666.png
new file mode 100644
index 0000000..37cb46f
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726204044666.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726204609310.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726204609310.png
new file mode 100644
index 0000000..a3fe4bd
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726204609310.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726210358145.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726210358145.png
new file mode 100644
index 0000000..d6969e0
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726210358145.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726210455919.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726210455919.png
new file mode 100644
index 0000000..5d460d2
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726210455919.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726222447923.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726222447923.png
new file mode 100644
index 0000000..44a99bc
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726222447923.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726222608697.png b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726222608697.png
new file mode 100644
index 0000000..d9806e5
Binary files /dev/null and b/learning/k8s-advanced/sec/authenticate/ldap.assets/image-20200726222608697.png differ
diff --git a/learning/k8s-advanced/sec/authenticate/ldap.md b/learning/k8s-advanced/sec/authenticate/ldap.md
index 0f5144e..3c94e16 100644
--- a/learning/k8s-advanced/sec/authenticate/ldap.md
+++ b/learning/k8s-advanced/sec/authenticate/ldap.md
@@ -15,9 +15,220 @@ meta:
本文介绍了两部分内容,如果您已经有 LDAP 在使用,请直接进入文档的第二部分内容。
* 安装 OpenLDAP
+
> 仅用于配合此文档达成演示目的,部署到生产环境时,请参考 OpenLDAP 的官方网站
+
* 配置 Kubernetes/Kuboard 使用 OpenLDAP 登录
-## 安装 OpenLDAP
+## 前提条件
+
+* Kubernetes 集群版本不低于 v1.13
+* Kuboard 版本不低于 v2.0.3-beta.2
+
+## 安装/配置 OpenLDAP
+
+本文描述的 LDAP 安装/配置方法仅仅是为了演示目的,生产环境请另外规划您的 LDAP 服务器安装,或者更大的可能性是,使用您企业中已经部署的 LDAP 服务。
+
+* 下载文件 kuboard_ldap_example.yaml
+
+* 打开 Kuboard 集群概览页,并创建名称空间 ***ldap-example***
+
+* 进入名称空间 ***ldap-example*** 并点击 ***从 YAML 创建*** 按钮,将 kuboard_ldap_example.yaml 文件中的内容粘贴到弹出对话框,并点击 **保存** 按钮。
+
+ 
+
+ 完成创建后,稍等片刻,ldap / phpldapadmin 启动成功后,名称空间界面显示如下:
+
+ 
+
+* 打开 LDAP 管理界面 phpldapadmin
+
+ * 点击上图中的 phpldapadmin,进入工作负载查看页,如下图所示:
+
+ 
+
+ * 点击 ***代理*** 按钮,打开代理对话框,如下图所示:
+
+ 
+
+ * 点击上图中的 ***在浏览器窗口中打开*** 按钮,进入 phpldapadmin 首页,如下图所示:
+
+ 
+
+* 点击上图中的 ***login*** 按钮,登录 phpldapadmin 管理界面:
+
+ 登录时使用
+
+ * 用户名:cn=admin,dc=example,dc=org
+
+ * 密码: admin
+
+ 
+
+ 登录成功后,界面如下图所示:
+
+ 
+
+* 添加分组
+
+ 点击上图左侧的按钮 ***Create new entry here***,如下图所示:
+
+ 
+
+ 点击上图中的 ***Generic: Posix Group***,如下图所示:
+
+ 输入表单如下,然后点击 ***Create Object*** 按钮,再点击 ***Commit*** 按钮,将完成 `mygroup` 的创建
+
+ Group: `mygroup`
+
+ 
+
+
+
+* 添加用户
+
+ 点击左侧的按钮 ***Create new entry here***,并选择 ***Genric: User Account***,如下图所示:
+
+ 输入表单如下:
+
+ | 字段名称 | 字段值 |
+ | -------------- | ------------------ |
+ | First name | hello |
+ | Last name | world |
+ | Common Name | hello world |
+ | User ID | hworld |
+ | Password | 123456 |
+ | GID Number | mygroup |
+ | Home directory | /home/users/hworld |
+
+ 
+
+ 完成表单填写后,点击 ***Create Object*** 按钮,再点击 ***Commit*** 按钮,将完成 `hworld` 用户的创建,如下图所示:
+
+ 
+
+ 点击上图右上侧的 ***Add new attribute*** 按钮,选择字段类型 `Email`,并输入 `hworld@kuboard.cn` 如下图所示:
+
+ 
+
+ 然后点击页面末尾的 ***Update Object*** 按钮,在新的界面再点一次 ***Update Object*** 按钮以确认更新。
+
+::: tip ldap 样例
+
+此时我们已经准备好了用于演示的 LDAP 环境:
+
+* 快速安装了一个 LDAP 服务实例(实际生产环境,请自行规划 LDAP 的安装,此文档中 LDAP 的安装方法只是用于 Demo 演示);
+* 创建了一个用户组 `mygroup`;
+* 创建了一个用户 `hworld` ,归属于用户组 `mygroup`,其邮箱地址为 `hworld@kuboard.cn`,密码为 `123456`。
+
+:::
## 配置 Kubernetes/Kuboard 使用 OpenLDAP 登录
+
+* 登录 Kuboard 界面,并点击右上角的 *圆形* 按钮,进入设置菜单,点击左侧导航栏的 ***单点登录*** 菜单,如下图所示:
+
+ 
+
+* 点击上图中的 ***Kubernetes Authentication 安装向导***,在该向导界面中填写表单:
+
+ | 字段名称 | 字段值 | 说明 |
+ | ----------------------------------------- | ----------------------------------------- | ------------------------------------------------------------ |
+ | 认证模式
| OpenID Connect | 请参考 [Kubernetes Authentication 安装向导](/learning/k8s-advanced/sec/authenticate/install.html) |
+ | 安装方式 | 安装 Dex 以连接 identity provider | 请参考 [Dex](https://github.com/dexidp/dex) |
+ | Dex Connector | LDAP | |
+ | Dex DNS Name | dex.demo.kuboard.cn | 请修改为您自己的 dex 域名 |
+ | Dex Node Port | 30100 | Kubernetes 的节点端口,必须可以被浏览器访问到 |
+ | SSL 证书 | dex.demo.kuboard.cn 的 SSL 证书公钥及私钥 | 请为您的 dex 域名申请一个 SSL 证书(暂不支持自签名证书) |
+
+ 
+
+* 在上图中完成表单填写并点击 ***下一步*** 之后,将进入安装 Dex 的界面,如下图所示:
+
+ 填写表单:
+
+ | 字段名称 | 字段值 | 说明 |
+ | ----------------------------------- | ------------------------------------------- | ------------------------------------------------------------ |
+ | Dex DNS Name | dex.demo.kuboard.cn | 请填写您自己的 Dex 域名 |
+ | Dex Node Port | 30100 | 请填写您自己的 Dex 端口号 |
+ | 基本参数-Id | ldap | |
+ | 基本参数-Name | LDAP | |
+ | 基本参数-usernamePrompt | SSO Username | 显示在 Dex 登录界面上的提示信息 |
+ | LDAP 连接参数-host | ldap-service.ldap-example.svc.cluster.local | [安装/配置 OpenLDAP](#安装/配置 OpenLDAP) 章节中安装的 LDAP service 的全名(其中 cluster.local 为您 Kubernetes 集群的 [Domain Suffix](/learning/k8s-intermediate/service/dns.html#a-记录))。如果您的 LDAP 服务器独立安装,请填写该 LDAP 服务器的域名或 IP 地址。 |
+ | LDAP 连接参数-insecureNoSSL | 不使用 SSL | Demo 中没有为 LDAP Server 配置 SSL 证书,所以此处不使用 SSL;如果您的LDAP 激活了 SSL,此处可以选择使用 SSL;如果您的激活了 SSL,但是使用的是自签名证书,此处如果选择了使用 SSL,Kuboard 与 LDAP 的认证模块将不能正常工作。 |
+ | LDAP 连接参数-bindDN | cn=admin,dc=example,dc=org | Dex 使用此账号登录 LDAP,以执行 LDAP 查询操作 |
+ | LDAP 连接参数-bindPW | admin | 密码 |
+ | 用户匹配方式-baseDN | dc=example,dc=org | 在此节点下查找用户信息 |
+ | 用户匹配方式-filter | (objectClass=posixAccount) | 将此条件作为查找用户信息的过滤条件 |
+ | 用户匹配方式-username | uid | 登录时输入的用户名与用户信息的此字段进行匹配 |
+ | 用户匹配方式-idAttr | uid | 将用户信息中的该字段 `uid` 映射到 token 的 id 字段 |
+ | 用户匹配方式-emailAttr | mail | 将用户信息中的该字段 `mail` 映射到 token 的 email 字段 |
+ | 用户匹配方式-nameAttr | uid | 将用户信息中的该字段 `uid` 映射到 token 的 name 字段 |
+ | 用户匹配方式-preferredUsernameAttr | uid | 将用户信息中的该字段 `uid` 映射到 token 中的 preferredUsername 字段 |
+ | 分组匹配方式-baseDN | dc=example,dc=org | 在此节点下查找分组信息 |
+ | 分组匹配方式-filter | (objectClass=posixGroup) | 将此条件作为查找分组信息时的过滤条件 |
+ | 分组匹配方式-nameAttr | cn | 将分组信息中的该字段 `cn` 映射到 token 中分组的名字 |
+ | 分组匹配方式-userMatchers-userAttr | gidNumber | 用户信息中该字段的 `gidNumber` 的值应该与分组信息中的 groupAttr 指定的 `gidNumber` 字段的值相匹配 |
+ | 分组匹配方式-userMatchers-groupAttr | gidNumber | 分组信息中该字段 `gidNumber` 的值应该与用户信息中通过 userMatchers.userAttr 指定的字段 `gidNumber` 的值相匹配;
例如,本例中,用户信息 `hworld` 的 gidNumber 的取值为一个数组,其中包含值 `500`,则,Dex 认为,gidNumber 字段取值为 `500` 的分组信息 `mygroup` 是用户 `hworld` 所在的分组之一。 |
+ | Dex Client-id | kuboard-dex-client | 自动生成 |
+ | Dex Client-name | Kuboard for Kubernetes | 自动生成 |
+ | Dex Client-secret | mcedc4g27b5fnsjrktczwwes | 自动生成 |
+ | Dex Client-redirectURLs | http://dev.kuboard.cn:32567/login | 自动生成 |
+
+ 
+
+* 在上图中完成表单填写后,点击 ***保存*** 按钮,然后点击 ***安装*** 按钮,最后如下图所示:
+
+ 需要等候片刻,Kubernetes 才能完成 dex 的安装,安装完成后,界面会辅助您验证浏览器是否可以访问 Dex,如果可以,请勾选 ***已确认*** 按钮。
+
+ 
+
+* 在上图中点击 ***下一步*** 按钮,将进入到对 Kuboard 进行设定的界面,如下图所示:
+
+ 请完成下图的表单(该表单的内容通常是自动生成,如果没有特殊情况,不建议修改)
+
+ 
+
+* 点击上图中的 ***保存*** 按钮,然后点击 ***应用 Kuboard OIDC 配置*** 按钮,如下图所示:
+
+ 等 Kuboard 完成更新后,界面将辅助您检测 Kuboard 的容器中是否可以访问 dex 服务,如果正常,您将看到绿色字体 ***Kuboard OIDC issuer*** 配置已应用,如下图所示:
+
+ 
+
+* 点击上图中的 ***下一步*** 按钮,按界面提示完成对 apiserver 的配置,配置成功后,如下图所示:
+
+ 
+
+* 点击上图中的 ***下一步*** 按钮,您已经基本完成了 LDAP 认证的配置,接下来验证一下吧。
+
+
+
+##验证 LDAP 登录
+
+* 在新的浏览器(不同的浏览器,如果之前使用的是 chrome,建议现在使用 Firefox、IE 或者 Edge)中打开 Kuboard 界面,此时将默认显示用户名密码登录的 Tab,如下图所示:
+
+ 
+
+* 点击上图中的 ***前往验证*** 按钮,将显示如下界面:
+
+ 在此界面中输入:
+
+ SSO Username:hworld (安装 LDAP 后,创建的测试用户)
+
+ Password: 123456
+
+ 
+
+* 点击上图中的 ***Login*** 按钮,
+
+ 
+
+
+
+此时,您已经完成了 Kuboard/Kubernetes/Dex/LDAP 的集成,并且已经可以使用 LDAP 中的账号登录 Kuboard 界面。
+
+> 界面上标识了已认证用户的用户名,以及所属的用户组。
+
+为了能够进入名称空间,您还需要多做一小步工作,请参考:
+
+* [授权用户访问指定名称空间](/learning/k8s-advanced/sec/rbac/user-namespace.html)
+* [授权用户访问名称空间列表](/learning/k8s-advanced/sec/rbac/list-namespace.html)
\ No newline at end of file
diff --git a/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726215955407.png b/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726215955407.png
new file mode 100644
index 0000000..53d8b01
Binary files /dev/null and b/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726215955407.png differ
diff --git a/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220043669.png b/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220043669.png
new file mode 100644
index 0000000..c70b8b2
Binary files /dev/null and b/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220043669.png differ
diff --git a/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220114622.png b/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220114622.png
new file mode 100644
index 0000000..52421d4
Binary files /dev/null and b/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220114622.png differ
diff --git a/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220732686.png b/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220732686.png
new file mode 100644
index 0000000..57e2311
Binary files /dev/null and b/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220732686.png differ
diff --git a/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220956316.png b/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220956316.png
new file mode 100644
index 0000000..a4037b8
Binary files /dev/null and b/learning/k8s-advanced/sec/rbac/user-namespace.assets/image-20200726220956316.png differ
diff --git a/learning/k8s-advanced/sec/rbac/user-namespace.md b/learning/k8s-advanced/sec/rbac/user-namespace.md
new file mode 100644
index 0000000..adcf3db
--- /dev/null
+++ b/learning/k8s-advanced/sec/rbac/user-namespace.md
@@ -0,0 +1,66 @@
+---
+vssueId: 175
+layout: LearningLayout
+sharingTitle: Kubernetes的RBAC授权从未如此简单
+description: Kubernetes教程_Role-based_access_control_(RBAC)基于角色的访问控制_是Kubernetes中支持的一种授权方式。本文描述了如何使用Kuboard管理RBAC授权规则,并授权用户访问名称空间列表。
+meta:
+ - name: keywords
+ content: Kubernetes 教程,Kubernetes 授权,Kubernetes RBAC,Kubernetes权限,User Permissions
+
+---
+
+# 授权用户访问名称空间
+
+本文描述了如何授予用户访问 Kubernetes 的一个名称空间。
+
+## 前提条件
+
+完成 [ Kubernetes Authentication 安装向导](/learning/k8s-advanced/sec/authenticate/install.html) 或者 [Kubernetes Authentication LDAP](/learning/k8s-advanced/sec/authenticate/ldap.html) 的安装
+
+
+
+## 步骤描述
+
+授权用户访问 default 名称空间的步骤如下:
+
+* 打开 Kuboard 界面并使用 `kuboard-user` 登录,点击右上角的圆形按钮,进入设置菜单,点击右侧菜单栏的 ***权限管理*** / ***User*** 菜单,界面如下图所示:
+
+ 
+
+* 点击上图中的 ***为新 User 授权*** 按钮,如下图所示:
+
+ 输入 User Name 为 `hworld` (或者您自己的用户名),此处的用户名为完成 [ Kubernetes Authentication 安装向导](/learning/k8s-advanced/sec/authenticate/install.html) 或者 [Kubernetes Authentication LDAP](/learning/k8s-advanced/sec/authenticate/ldap.html) 的安装后,登录 Kuboard 时所使用的第三方(GitHub/GitLab/LDAP)的用户名。
+
+ 
+
+* 点击上图中的 ***确定*** 按钮,进入如下界面:
+
+ 此界面中显示了该用户关联的 RoleBinding 及 ClusterRoleBinding。
+
+ 
+
+ ::: tip RoleBinding v.s. ClusterRoleBinding
+
+ * RoleBinding 必须在名称空间内创建,作用范围是其所在的名称空间;
+ * RoleBinding 可以关联 ServiceAccount、User、Group 等所有类型的 Subject;
+ * RoleBinding 可以关联其他名称空间(与RoleBinding不在同一名称空间)的 ServiceAccount,例如,名称空间 A 中有一个 ServiceAccount `sa1`;在名称空间 B 中创建一个 RoleBinding,其 Subject 为名称空间 A 中的 `sa1`,其角色为 ClusterRole `admin`;此时,`sa1` 可以以 `admin` 的角色访问名称空间 B;但是,ClusterRole `admin` 中关于节点等对象的授权(查询节点列表、查看节点详情等),`sa1` 并不能执行,因为 RoleBinding 的作用域为其所在的名称空间,而节点属于集群级别的对象;
+ * ClusterRoleBinding 只能关联 ClusterRole;
+ * ClusterRoleBinding的作用域是整个集群。如果用户通过 ClusterRoleBinding 关联了 ClusterRole `admin`,则该用户可以以 `admin` 的身份访问集群中的所有名称空间,也可以访问 ClusterRole `admin` 中授权的集群级别的对象。
+
+ :::
+
+* 点击上图中 ***RoleBinding*** 后面的 ***添加*** 按钮,将打开创建 RoleBinding 的对话框,
+
+ 选择 ***常用 ClusterRole*** 中的 ***view*** ,如下图所示:
+
+ 
+
+* 点击上图中的 ***保存*** 按钮,将完成 RoleBinding 的创建,如下图所示:
+
+ 此时,用户已经可以以 `view` 的身份访问名称空间 `default` 了。
+
+ 
+
+
+
+:tada: :tada: :tada:
\ No newline at end of file
diff --git a/support/change-log/Drain.png b/support/change-log/Drain.png
new file mode 100644
index 0000000..0185afa
Binary files /dev/null and b/support/change-log/Drain.png differ
diff --git a/support/change-log/change-log-on-the-way-2.0.md b/support/change-log/change-log-on-the-way-2.0.md
index a632cc4..c24faff 100644
--- a/support/change-log/change-log-on-the-way-2.0.md
+++ b/support/change-log/change-log-on-the-way-2.0.md
@@ -6,7 +6,6 @@
切换主题色
Prob 设置时,可以使用端口名
-* 节点管理操作,驱逐、封禁等
* RoleBinding 可以跨名称空间绑定
* Workload 显示最后更新时间
diff --git a/support/change-log/v2.0.x.md b/support/change-log/v2.0.x.md
index 94c2cc7..fb5599e 100644
--- a/support/change-log/v2.0.x.md
+++ b/support/change-log/v2.0.x.md
@@ -13,6 +13,18 @@ Kuboard v2.0.x 的更新说明
了解 [从Kuboard v1.0.x 升级到 Kuboard v2.0.x](./upgrade-1-2.html)
+## v2.0.3
+
+**发布日期**
+
+2020年7月26日
+
+**优化**
+
+* 节点详情页可以逐个驱逐 Pod
+* 将镜像 quay.io/dexidp/dex:v2.24.0 重新标记到 eipwork/dex:v2.24.0,提高下载速度
+* 更新 Kubernetes Authentication 安装向导中的界面截图
+
## v2.0.3-beta.4
**发布日期**