Identity and Access Management (IAM)

Build you own: Access Manager with Kubernetes

By Jon Harry posted Thu May 02, 2019 11:17 AM

  

Introduction

In my previous post, I described how to build your own Centos 7 system, with Docker (and docker-compose) installed, so that you could run an  IBM Security Access Manager system using containers.

This post extends that system so that you can explore deployment of Access Manager via Kubernetes.  It also includes installation of Helm so that you can explore deployment using Helm Charts.

Kubernetes is an orchestration technology which controls deployment of containers in a Kubernetes cluster.  This is a common way to deploy containers onto cloud platforms such as IBM Cloud or Google Kubernetes Engine (GKE).

Helm is described as "a package manager for Kubernetes".   A Helm Chart is a definition of one or more Kubernetes deployments (usually related to a single application) which allows dynamic scripting within the YAML files which define the Kubernetes objects.

This post provides step-by-step instructions for installing:

  • minikube (a stand-alone Kubernetes cluster);
  • kubectl (the Kubernetes command-line client); and
  • helm (the Helm command-line client)

onto your test system.

Once you have completed the steps in this post, you’ll be able to use my Access Manager with Kubernetes and my Access Manager with Helm cookbooks.

Pre-requisites

This post assumes that you already have a Centos 7 system set up.  Instructions for this are in my previous post.  For my environment, I used a virtual machine running under VMWare but you could use a different hypervisor or a physical machine.  For my virtual machine I used these settings:

  • Minimum 8GB Memory
  • Minimum 30GB Disk
  • Minimum 4 CPUs
  • Enable nested hypervisor support (required for minikube)

This blog assumes you have a standard user account.  I created a standard user with username of demouser but you can choose your own name.  You will also need root access for the installation steps.

Install Kubernetes command-line client

Kubernetes clusters are managed using a REST API. The kubectl utility provides a command-line client for this REST API.

As root, enter the following commands to add the Kubernetes repository to yum and install:

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF

yum install -y kubectl

echo "source <(kubectl completion bash)" >> /etc/bashrc

Install Helm

Helm Charts are created and installed using the helm utility.  It is also used to initialize a Kubernetes cluster for Helm by installing a service caller Tiller.

As root, enter the following commands to run the installer for Helm and set up command completion:

curl -L https://git.io/get_helm.sh | bash

echo "source <(helm completion bash)" >> /etc/bashrc

Install KVM and Minikube

Minikube is a self-contained Kubernetes cluster that can run locally under a hypervisor. In this case it will be installed under the KVM hypervisor.

As root, enter the following commands to install KVM and Minikube:

yum install -y qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils libvirt-daemon-kvm

systemctl enable libvirtd

systemctl start libvirtd

curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 && chmod +x minikube && cp minikube /usr/local/bin/ && rm -f minikube

curl -LO https://storage.googleapis.com/minikube/releases/latest/docker-machine-driver-kvm2 && install docker-machine-driver-kvm2 /usr/local/bin/ && rm -f docker-machine-driver-kvm2

Add standard user to libvirt group

If you want a standard user to be able to start Minikube, they must be added to the libvirt group.

As root, enter the following commands (replacing demouser with the username of your standard user):

usermod -aG libvirt demouser

The installation is complete. To activate KVM you must now Reboot the system.

Set minikube configuration

Once your system has rebooted, login as the standard user that you created during Centos 7 installation. In my case the user is demouser.

Enter the following commands set minikube configuration:

minikube config set vm-driver kvm2

minikube config set memory 4096

minikube config set cpus 4

Start minikube for the first time

As the standard user, enter the following command to start minikube for the first time:

minikube start

This first start can take several minutes as assets are downloaded from the internet to initialize the Kubernetes system.  Once minikube has started successfully, enable the ingress add-on which will allow access to services using well-known ports:

minikube addons enable ingress

Test kubectl connection

When minikube is started, the configuration for kubectl is updated so that it is connected to the minikube Kubernetes cluster.

Use this following command to check that the connection has been made:

kubectl cluster-info

You should see output similar to the following:

Kubernetes master is running at https://192.168.39.91:8443
KubeDNS is running at https://192.168.39.91:8443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

Your minikube Kubernetes cluster is ready to use.

Stop minikube to release memory

If you're not going to use it right away, you can now stop minikube to reduce CPU and memory usage:

minikube stop

Prepare for Cookbooks

Clone scripts from isamdocker git repository

As the standard user, clone the git repository that contains the scripts used by my cookbooks and link into the user’s home directory:

git clone https://github.com/jonpharry/isamdocker.git ~/isamdocker

mkdir ~/studentfiles

ln -s ~/isamdocker/studentfiles/container-install ~/studentfiles/container-install


#ISAM
#containers
#Kubernetes
#Docker
#Helm
0 comments
57 views

Permalink