关于我们

质量为本、客户为根、勇于拼搏、务实创新

新闻公告

< 返回新闻公共列表

安装kubernetes-dashboard-amd64后打开服务器dashboard可视化界面提示证书签名错误的解决方法

发布时间:2019-11-29 10:53:06

安装kubernetes-dashboard-amd64:v1.10.1 最后浏览器打开会提示签名错误。

1 (3).jpg

使用kubectl logs kubernetes-dashboard-5f7b999d65-8j5n8 --namespace=kube-system查看到错误日志

推测kubernetes-dashboard自带签名证书过期了(或者别的原因),下面进行自签证书

切换到root用户

sudo su -

创建自签名证书

下面步骤可能会因为/root/.rnd文件找不到报错,直接创建一个touch /root/.rnd

mkdir -p /data/tls && cd /data/tls

openssl genrsa -out ca.key 2048

openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj "/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=CA"

//生成私钥

openssl genrsa -out dashboard.key 2048

//申请签名请求

申请签名请求

# ip为dashaboard访问地址ip

export ip=192.168.160.100

openssl req -new -sha256 -key dashboard.key -out dashboard.csr -subj "/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=$ip"

cat >  dashboard.cnf  <<EOF

extensions = san

[san]

keyUsage = digitalSignature

extendedKeyUsage = clientAuth,serverAuth

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer

subjectAltName = IP:$ip,IP:127.0.0.1,DNS:$ip,DNS:localhost

EOF

签发证书

openssl x509 -req -sha256 -days 3650 -in dashboard.csr -out dashboard.crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile dashboard.cnf

至此,dashboard证书签发完成,接着就要删除旧的kubernetes-dashboard用新的证书来创建。

删除旧kubernetes-dashboard

// 方法一:(我用这个方法报错了,所以选了方法二)

kubectl delete -f kubernetes-dashboard.yaml  

// 方法二:(需要手动一条一条删除)

kubectl delete deployment kubernetes-dashboard --namespace=kube-system 

kubectl delete service kubernetes-dashboard  --namespace=kube-system 

kubectl delete role kubernetes-dashboard-minimal --namespace=kube-system 

kubectl delete rolebinding kubernetes-dashboard-minimal --namespace=kube-system

kubectl delete sa kubernetes-dashboard --namespace=kube-system 

kubectl delete secret kubernetes-dashboard-certs --namespace=kube-system

kubectl delete secret kubernetes-dashboard-csrf --namespace=kube-system

kubectl delete secret kubernetes-dashboard-key-holder --namespace=kube-system

创建 secret kubernetes-dashboard-certs

kubectl create secret generic kubernetes-dashboard-certs --from-file="/data/tls/dashboard.crt,/data/tls/dashboard.key" -n kube-system 

修改kubernetes-dashboard.yaml 文件,注释掉Dashboard Secret 使用自己的签名。

# ------------------- Dashboard Secret ------------------- #

#apiVersion: v1

#kind: Secret

#metadata:

#  labels:

#    k8s-app: kubernetes-dashboard

 # name: kubernetes-dashboard-certs

#  namespace: kube-system

#type: Opaque

部署dashboard

kubectl create -f kubernetes-dashboard.yaml

kubectl get po -n kube-system

至此,使用自建证书创建kubernetes-dashboard步骤已经完成。如果上一步有用k8s-admin-token.yaml文件创建过admin token的可以直接跳过这一步,直接获取token打开浏览器进行登录。

没有创建admin token的需要进行下面的操作:

创建k8s-admin-token.yaml文件, 内容如下:

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

  name: admin

  annotations:

    rbac.authorization.kubernetes.io/autoupdate: "true"

roleRef:

  kind: ClusterRole

  name: cluster-admin

  apiGroup: rbac.authorization.k8s.io

subjects:

- kind: ServiceAccount

  name: admin

  namespace: kube-system

---

apiVersion: v1

kind: ServiceAccount

metadata:

  name: admin

  namespace: kube-system

  labels:

    kubernetes.io/cluster-service: "true"

    addonmanager.kubernetes.io/mode: Reconcile

配置admin token

kubectl create -f k8s-admin-token.yaml

动态获取登录token

kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system

在浏览器中打开打开地址: https://<你的ip>:32288使用token登录,注意如果是使用的云服务器,需要去服务器的安全组策略中放开32288端口。


/template/Home/Zkeys/PC/Static