k8s dashboard and install an updated certificate

Others 2019-08-08 23:23:28 views: null

1, k8s build See https://blog.51cto.com/lizhenliang/2325770

[root@VM_0_48_centos ~]# kubectl  get cs
NAME                 STATUS    MESSAGE              ERROR
scheduler            Healthy   ok                   
controller-manager   Healthy   ok                   
etcd-1               Healthy   {"health": "true"}   
etcd-0               Healthy   {"health": "true"}   
etcd-2               Healthy   {"health": "true"}

Note: The blog has few modifications.

/ Opt / kubernetes / cfg / groin-apiserver:

需要由:--enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota

改为:  --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction   去掉:SecurityContextDeny

 

2, dashboard download address: / opt / dashboard / Note: admin-token.yaml created by hand

git clone  https://github.com/kubernetes/kubernetes.git 

[root@VM_0_48_centos dashboard]# ll *.yaml
-rw-r--r-- 1 root root  515 Aug  8 10:11 admin-token.yaml
-rw-r--r-- 1 root root  264 Aug  5 16:27 dashboard-configmap.yaml
-rw-r--r-- 1 root root 1835 Aug  8 09:14 dashboard-controller.yaml
-rw-r--r-- 1 root root 1353 Aug  5 16:27 dashboard-rbac.yaml
-rw-r--r-- 1 root root  551 Aug  5 16:27 dashboard-secret.yaml
-rw-r--r-- 1 root root  339 Aug  7 15:24 dashboard-service.yaml

  

3, modify the dashboard-service.yaml content   

[root@VM_0_48_centos dashboard]# cat dashboard-service.yaml 
apiVersion: v1
kind: Service
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
spec:
  type: NodePort   #添加Nodeport 以便访问
  selector:
    k8s-app: kubernetes-dashboard
  ports:
  - port: 443
    targetPort: 8443

 

4, start the service

kubectl  apply  -f dashboard-configmap.yaml 

 kubectl  apply  -f dashboard-secret.yaml 

kubectl  apply  -f dashboard-rbac.yaml 

kubectl apply -f dashboard-service.yaml 

kubectl  apply -f  dashboard-controller.yaml

 

5, /usr/lib/systemd/system/kubelet.service modify parameters: cluster-dns cluster-domain 

 kubectl  describe pod kubernetes-dashboard-746dfd476-mdv5n  -n kube-system

b error: kubelet does not have ClusterDNS IP configured and can not create PodJ Solutions

[root@VM_0_48_centos dashboard]# cat /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service

[Service]
EnvironmentGoogle nmentFile ro = / usr / kubernetes / CFG / omelet
ExecStart = / usr / kubernetes / bin / omelet $ KUBELET_OPTS
Restart = on-failure
KillMode = process

[Install]
WantedBy=multi-user.target
[root@VM_0_48_centos dashboard]# cat /opt/kubernetes/cfg/kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=172.19.0.48 \
--cluster-dns=10.0.0.2 \             ### 配置dns
--cluster-domain=cluster.local \   ###配置域名
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

修改完以后,重启服务发现正常

6、权限问题 发现官网yaml授权中只有默认的defalut ,需要重新绑定角色。
[root @ VM_0_48_centos Dashboard] # CAT ADMIN-token.yaml 
kind: ClusterRoleBinding 
apiVersion: rbac.authorization.k8s.io/v1beta1 
the Metadata: 
  name: ADMIN 
  Annotations: 
    rbac.authorization.kubernetes.io/autoupdate: "to true" 
roleRef: 
  kind : ClusterRole 
  name: ADMIN # Cluster-term role is not the time to build the system automatically generates administrator role 
  apiGroup: rbac.authorization.k8s.io 
Subjects: 
- kind: ServiceAccount 
  name: ADMIN 
  namespace: Kube-system 
--- 
apiVersion: v1 
kind: ServiceAccount 
Metadata: 
  name: ADMIN 
  namespace: Kube-System 
  Labels: 
    kubernetes.io/cluster-service: "to true"

  To the official website of yaml:

[root@VM_0_48_centos dashboard]# cat dashboard-rbac.yaml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    addonmanager.kubernetes.io/mode: Reconcile
  name: kubernetes-dashboard-minimal
  namespace: kube-system   #只能看到systemo 空间
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace:Kube-System 
    k8s-app: kubernetes-Dashboard
  Labels:
    addonmanager.kubernetes.io/mode: Reconcile
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

  

Future updates for login token:

[root@VM_0_48_centos dashboard]# kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system  
Name:         admin-token-j8sjg
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin
              kubernetes.io/service-account.uid: d9e482cf-b981-11e9-9170-525400c318af

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1359 bytes
namespace :   11 bytes 
token: **************************** ********************* ## design Confidential

 


7、更新https证书有效期,解决只能由火狐浏览器访问,其他浏览器无法访问问题。

产生证书:
mkdir key && cd key
openssl genrsa -out dashboard.key 2048 

openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=172.19.0.48'

openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt 

kubectl delete secret kubernetes-dashboard-certs -n kube-system

kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kube-system  #新的证书

POD Kubernetes the Delete kubectl -dashboard-746dfd476-b2r5f -n Kube-System # to restart the service

 

8、效果展示:



 

Guess you like

Origin www.cnblogs.com/xiajq/p/11322568.html
Recommended
"U.S. Threats and Damage to Global Cyberspace Security and Development" report released
Ranking
[DP] expected [UVA1498] Activation
What is the ABAP Dynpro program
记录一下halcon例程报错和两个视觉库感兴趣区域绘制
characterReplacement-the longest repeated character after replacement
Target element by id somewhere within an element targeted by id
Test classification
NOI 8780 interceptor missile linear dp
Equipment inspection management wants to fine, light streams Weapon children
sql packet takes the value of the most
Computer java project recommendation SSM (Spring+SpringMVC+MyBatis) takeaway ordering management system
Daily
More
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)

Code World

© 2018 codetd.com