Kubernetes-dashboard Ingress SSL证书配置

Dashboard Ingress

Posted by BlueFat on Thursday, September 17, 2020

删除已安装

删除已安装kubernetes-dashboard

wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
kubectl delete -f recommended.yaml

申请证书

可以使用cert-manager申请三个月免费证书,此工具可以自动续期

这里在XX云申请一年证书

导入证书

创建secret tls

kubectl create ns kubernetes-dashboard
kubectl create secret tls acme-cert --cert=dashboard.sundayhk.com.pem --key=dashboard.sundayhk.com.key -n kubernetes-dashboard

修改配置

修改recommended.yaml

  args:
    - --tls-cert-file=tls.crt # 新添加
    - --tls-key-file=tls.key  # 新添加
    - --token-ttl=21600       # 新添加

  volumes:
    - name: kubernetes-dashboard-certs
      secret:
        secretName: my-dashboard-cert  # 修改成新证书的secret

修改部分

spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.7.0
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            - --tls-cert-file=tls.crt # 新添加
            - --tls-key-file=tls.key  # 新添加
            - --token-ttl=21600       # 新添加
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            #secretName: kubernetes-dashboard-certs
            secretName: my-dashboard-cert  # 新证书的secret
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

安装dashboard

kubectl create -f recommended.yaml

配置权限

cat << EOF > | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
EOF


## Ingress SSL配置
```sh
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ingressClassName: nginx
  rules:
  - host: dashboard.appcd.cn
    http:
      paths:
      - backend:
          service:
            name: kubernetes-dashboard
            port:
              number: 443
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - dashboard.sundayhk.com
    secretName: my-dashboard-cert

获得token

kubectl -n kubernetes-dashboard create token admin-user

eyJhbGciOiJSUzI1NiIsImtpZCI6InNZMkVKa3Y3MmFKbE9lMWtlLTZybjdhX3R2ZDNoVDlzVkp6NUFHbHZGNjAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjY4NjI1NTc5LCJpYXQiOjE2Njg2MjE5NzksIm

解析成功后,打开 https://dashboard.sundayhk.com
输入token登陆