wget https://dl.google.com/go/go1.14.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.14.linux-amd64.tar.gz echo "PATH=$PATH:/usr/local/go/bin" >>~/.bashrc && . ~/.bashrc

#check go version 

git clone https://github.com/jotapff/k8s-samba-authentication.git cd k8s-samba-authentication go get github.com/go-ldap/ldap go get k8s.io/api/authentication/v1

#Line 18 - If the LDAP server is configured "over ssl/tls" ldapURL = "ldaps://" + os.Args[1] #Line 95 user := fmt.Sprintf("%s@KUBER.NET", username) #Line 104 "cn=Users,dc=kuber,dc=net"

GOOS=linux GOARCH=amd64 go build main.go

openssl req -x509 -newkey rsa:2048 -nodes \ -subj "/CN=localhost" \ -keyout key.pem \ -out cert.pem

./main SERVER-LDAP key.pem cert.pem &>/var/log/k8s-samba-authentication.log &

 { "apiVersion": "authentication.k8s.io/v1", "kind": "TokenReview", "spec": { "token": "user:userpassword" } }

curl -k -X POST -d @testldap.json https://127.0.0.1 # If the status is empty the webhook is not working  "status": { "user": {} } 

[Unit] Description=Samba AD Webhook Authentication Server After=network.target [Service] Type=simple ExecStart=/root/k8s-samba-authentication/main 127.0.0.1 /root/k8s-samba-authentication/key.pem /root/k8s-samba-authentication/cert.pem RestartSec=10 Restart=always [Install] WantedBy=multi-user.target

systemctl start webhook.service systemctl enable webhook.service

#Install kubeadm and Docker curl -o- https://raw.githubusercontent.com/jotapff/k8s-docker-Install-Script-Ubuntu/master/install.sh | bash

cat <<EOF > /root/webhook-config.yaml apiVersion: v1 kind: Config clusters:  - name: authn  cluster:  server: https://X.X.X.X #WebHook Server  insecure-skip-tls-verify: true #If the certificate isn't signed by a CA users:  - name: kube-apiserver contexts: - context:  cluster: authn  user: kube-apiserver  name: authn current-context: authn EOF

cat <<EOF >kubeadm-config.yaml apiVersion: kubeadm.k8s.io/v1beta2 kind: ClusterConfiguration apiServer:  extraVolumes:  - name: authentication-token-webhook-config-file  mountPath: /etc/webhook-config.yaml  hostPath: /root/webhook-config.yaml   extraArgs:  authentication-token-webhook-config-file: /etc/webhook-config.yaml  certSANs:  - X.X.X.X #IP address Kubernetes API server listens networking:  podSubnet: "10.244.0.0/16" EOF 

kubeadm config migrate --old-config kubeadm-config.yaml --new-config kubeadm-config-new.yaml kubeadm init --config kubeadm-config-new.yaml 

#Install a CNI plugin.  #Example the Flannel kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

#Create the ClusterRole or Roles to the users or groups #For example: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k8s-admin-group roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: Group name: kuberadmin apiGroup: rbac.authorization.k8s.io

kubectl config set-credentials testuser \ --token user:userpassword kubectl config set-context user-context \ --cluster=kubernetes --user=user kubectl config use-context user-context kubectl config set-cluster kubernetes \ --insecure-skip-tls-verify=true \ --server https://X.X.X.X:6443