删除已安装
删除已安装kubernetes-dashboard
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
kubectl delete -f recommended.yaml
申请证书
可以使用cert-manager申请三个月免费证书,此工具可以自动续期
这里在XX云申请一年证书
导入证书
创建secret tls
kubectl create ns kubernetes-dashboard
kubectl create secret tls acme-cert --cert=dashboard.sundayhk.com.pem --key=dashboard.sundayhk.com.key -n kubernetes-dashboard
修改配置
修改recommended.yaml
args:
- --tls-cert-file=tls.crt # 新添加
- --tls-key-file=tls.key # 新添加
- --token-ttl=21600 # 新添加
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: my-dashboard-cert # 修改成新证书的secret
修改部分
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.7.0
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --tls-cert-file=tls.crt # 新添加
- --tls-key-file=tls.key # 新添加
- --token-ttl=21600 # 新添加
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
#secretName: kubernetes-dashboard-certs
secretName: my-dashboard-cert # 新证书的secret
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
安装dashboard
kubectl create -f recommended.yaml
配置权限
cat << EOF > | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
EOF
## Ingress SSL配置
```sh
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ingressClassName: nginx
rules:
- host: dashboard.appcd.cn
http:
paths:
- backend:
service:
name: kubernetes-dashboard
port:
number: 443
path: /
pathType: Prefix
tls:
- hosts:
- dashboard.sundayhk.com
secretName: my-dashboard-cert
获得token
kubectl -n kubernetes-dashboard create token admin-user
eyJhbGciOiJSUzI1NiIsImtpZCI6InNZMkVKa3Y3MmFKbE9lMWtlLTZybjdhX3R2ZDNoVDlzVkp6NUFHbHZGNjAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjY4NjI1NTc5LCJpYXQiOjE2Njg2MjE5NzksIm
解析成功后,打开 https://dashboard.sundayhk.com
输入token登陆