1. 當前環境
kubernetes v1.17
dashboard v2.0.0-rc5
2. 部署dashboard
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc5/aio/deploy/recommended.yaml
修改service的為NodePort:30443,以便外網可以訪問,以https訪問網站時出現證書無效的錯誤。
3. 自簽證書
- 創建自簽名CA
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj "/C=CN/ST=CD/L=GX/O=WHYFATE/OU=WH/CN=CA"
- 簽發dashboard證書
openssl genrsa -out dashboard.key 2048
openssl req -new -sha256 -key dashboard.key -out dashboard.csr -subj "/C=CN/ST=CD/L=GX/O=WHYFATE/OU=WH/CN=192.168.0.200"
// ---配置dashboard.cnf ---
// vim dashboard.cnf
extensions = san
[san]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = IP:192.168.0.200,IP:127.0.0.1,DNS:192.168.0.200,DNS:localhost
// --- 簽發證書 ---
openssl x509 -req -sha256 -days 3650 -in dashboard.csr -out dashboard.crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile dashboard.cnf
4. 更新部署dashboard
- 刪除 kubernetes-dashboard-certs
kubectl delete secret kubernetes-dashboard-certs -n kubernetes-dashboard
- 根據文件生成secret
kubectl create secret generic kubernetes-dashboard-certs --from-file="tls/dashboard.crt,tls/dashboard.key" -n kubernetes-dashboard
- 刪除 dashboard pod 更新部署
5. 導入CA
拷貝ca.crt文件到要訪問的機器上,導入證書。
mac os 打開 鑰匙串訪問,把ca文件拖進去,信任 選擇 始終信任,訪問網站,出現192.168.0.200的登錄證書,信任 選擇 始終信任即可。
6. 創建ServiceAccount以便登錄dashboard
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
- 得到token
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
拷貝token,登錄選擇token即可。