deploy kubernets dashborad with https

deploy kubernets dashborad with https

0.踩坑

部署完kubernets dashborad后,官方给出的四种访问模式,都很坑😫。

1.kubectl proxy

只能通过本机访问,部署在VPS上的是无法登录的。

2.NodePort

In case you are trying to expose Dashboard using NodePort on a multi-node cluster, then you have to find out IP of the node on which Dashboard is running to access it. Instead of accessing https://<master-ip>:<nodePort> you should access https://<node-ip>:<nodePort>.
暴漏node IP一个端口来访问,同样浏览器会提示证书问题拒绝访问,测试chrome edge ie均无法访问,需要自己加个证书才行。下面就讲解用自己的域名签个证书来用。NodePort是将节点直接暴露在外网的一种方式,只建议在开发环境,单节点的安装方式中使用。

3.API Server

In case Kubernetes API server is exposed and accessible from outside you can directly access dashboard at: https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

Note: This way of accessing Dashboard is only possible if you choose to install your user certificates in the browser. In example certificates used by kubeconfig file to contact API Server can be used.

4.Ingress

Dashboard can be also exposed using Ingress resource. For more information check: https://kubernetes.io/docs/concepts/services-networking/ingress.

2.使用acme.sh脚本制作证书

acme.sh脚本从 letsencrypt 可以生成免费的证书
acme
wiki

1.安装脚本
cd ~ && curl https://get.acme.sh | sh && alias acme.sh=~/.acme.sh/acme.sh
2.配置好nginx
我的nginx在另一台机器上,需要在域名解析那里添加A记录解析到nginx服务器上。添加子域名未k8s,并在nginx那里配置好。
这一步一定要做,不然的话无法通过http验证该域名所属。当然也可以选用dns的方式来验证,在这里就不赘述了。

server {
        listen 80;
        listen [::]:80;
        server_name k8s.502.li;
        set $base /var/www/k8s;
        root $base/;
}

3.生成证书,默认会保存在~/.acme.sh/mydomain.com
acme.sh --issue -d mydomain.com --nginx

4.上传证书到k8s-master节点
只需要mydomain.com.cer和mydomain.com.key这两个文件,其中把mydomain.com.cer命名为dashboard.crt ,mydomain.com.key命名为dashboard.key。然后你想办法把这两个文件传到k8s-master机器 ~/certs目录下。

3.部署kubernetes-dashboard

1.引用官方的文档😂
Custom certificates have to be stored in a secret named kubernetes-dashboard-certs in kube-system namespace. Assuming that you have dashboard.crt and dashboard.key files stored under $HOME/certs directory, you should create secret with contents of these files:
kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kube-system

2.下载并修改kubernetes-dashboard.yaml文件

wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/alternative/kubernetes-dashboard.yaml

在最后添加type: NodePort,注意缩进。

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  type: NodePort

3.部署启动kubernetes-dashboard
kubectl create -f kubernetes-dashboard.yaml

4.获取kubernetes-dashboard的访问端口和IP

kubectl -n kube-system get svc kubernetes-dashboard

5.创建授权用户获取token

cat > dashboard-adminuser.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
EOF

kubectl apply -f  dashboard-adminuser.yaml
cat > admin-user-role-binding.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
EOF

kubectl apply -f  admin-user-role-binding.yaml

获取登录要用到的token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kube-system