打开dashboard可视化界面报错(提示证书有误)
2019-11-29 本文已影响0人
六分
根据上一步教程安装kubernetes-dashboard-amd64:v1.10.1 最后浏览器打开会提示签名错误。
使用kubectl logs kubernetes-dashboard-5f7b999d65-8j5n8 --namespace=kube-system查看到错误日志
image
推测kubernetes-dashboard自带签名证书过期了(或者别的原因),下面进行自签证书
- 切换到root用户
sudo su -
- 创建自签名证书
下面步骤可能会因为/root/.rnd文件找不到报错,直接创建一个touch /root/.rnd
mkdir -p /data/tls && cd /data/tls
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj "/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=CA"
//生成私钥
openssl genrsa -out dashboard.key 2048
//申请签名请求
- 申请签名请求
# ip为dashaboard访问地址ip
export ip=192.168.160.100
openssl req -new -sha256 -key dashboard.key -out dashboard.csr -subj "/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=$ip"
cat > dashboard.cnf <<EOF
extensions = san
[san]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = IP:$ip,IP:127.0.0.1,DNS:$ip,DNS:localhost
EOF
- 签发证书
openssl x509 -req -sha256 -days 3650 -in dashboard.csr -out dashboard.crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile dashboard.cnf
至此,dashboard证书签发完成,接着就要删除旧的kubernetes-dashboard用新的证书来创建
- 删除旧kubernetes-dashboard
// 方法一:(我用这个方法报错了,所以选了方法二)
kubectl delete -f kubernetes-dashboard.yaml
// 方法二:(需要手动一条一条删除)
kubectl delete deployment kubernetes-dashboard --namespace=kube-system
kubectl delete service kubernetes-dashboard --namespace=kube-system
kubectl delete role kubernetes-dashboard-minimal --namespace=kube-system
kubectl delete rolebinding kubernetes-dashboard-minimal --namespace=kube-system
kubectl delete sa kubernetes-dashboard --namespace=kube-system
kubectl delete secret kubernetes-dashboard-certs --namespace=kube-system
kubectl delete secret kubernetes-dashboard-csrf --namespace=kube-system
kubectl delete secret kubernetes-dashboard-key-holder --namespace=kube-system
- 创建 secret kubernetes-dashboard-certs
kubectl create secret generic kubernetes-dashboard-certs --from-file="/data/tls/dashboard.crt,/data/tls/dashboard.key" -n kube-system
- 修改kubernetes-dashboard.yaml 文件,注释掉Dashboard Secret 使用自己的签名
# ------------------- Dashboard Secret ------------------- #
#apiVersion: v1
#kind: Secret
#metadata:
# labels:
# k8s-app: kubernetes-dashboard
# name: kubernetes-dashboard-certs
# namespace: kube-system
#type: Opaque
- 部署dashboard
kubectl create -f kubernetes-dashboard.yaml
kubectl get po -n kube-system
-
至此,使用自建证书创建kubernetes-dashboard步骤已经完成。如果上一步有用k8s-admin-token.yaml文件创建过admin token的可以直接跳过这一步,直接获取token打开浏览器进行登录
image
- 没有创建
admin token的需要进行入下操作
创建k8s-admin-token.yaml文件, 内容如下
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: admin
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
配置admin token
kubectl create -f k8s-admin-token.yaml
动态获取登录token
kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system
在浏览器中打开打开地址: https://<你的ip>:32288使用token登录,注意如果是使用的云服务器,需要去服务器的安全组策略中放开32288端口
