Tuesday, July 30, 2019

[Kubernetes] How to install Kubernetes Dashboard and without invalid certification

When I follow the instructions from the official site: https://github.com/kubernetes/dashboard to install Kubernetes Dashboard, I encounter the problem that I cannot access the dashboard via my browser because the certificate is invalid. After figuring it out, Here is my approach to resolving it.



Create your own cert file.
https://github.com/kubernetes/dashboard/wiki/Certificate-management
$ cd /home/liudanny/Downloads/dashboard
$ openssl genrsa -des3 -passout pass:1234 -out dashboard.pass.key 2048
$ openssl rsa -passin pass:1234 -in dashboard.pass.key -out dashboard.key
$ openssl req -new -key dashboard.key -out dashboard.csr
$ openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt

$ ls -al 
-rw-rw-r-- 1 liudanny liudanny 1111  七  30 13:08 dashboard.crt
-rw-rw-r-- 1 liudanny liudanny  952  七  30 13:08 dashboard.csr
-rw------- 1 liudanny liudanny 1675  七  30 13:07 dashboard.key
Create our cert secret
$ kubectl create secret generic kubernetes-dashboard-certs \
  --from-file=/home/liudanny/Downloads/dashboard -n kube-system 
$ kubectl get secrets kubernetes-dashboard-certs -n kube-system
NAME                         TYPE     DATA   AGE
kubernetes-dashboard-certs   Opaque   3      3m
Modify the kubernetes-dashboard.yaml file as the following red characters:
#apiVersion: v1
#kind: Secret
#metadata:
#  labels:
#    k8s-app: kubernetes-dashboard
#  name: kubernetes-dashboard-certs
#  namespace: kube-system
#type: Opaque

...
...
...

    containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          #- --auto-generate-certificates
          - --tls-cert-file=dashboard.crt
          - --tls-key-file=dashboard.key
...
...
...

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
Create the dashboard
$ kubectl create -f  kubernetes-dashboard.yaml
$ kubectl get all -n kube-system
NAME                                        READY   STATUS    RESTARTS   AGE
pod/calico-node-pwg6z                       2/2     Running   7          23h
pod/coredns-6f685fffbf-7cht4                1/1     Running   2          23h
pod/coredns-6f685fffbf-gr9nw                1/1     Running   2          23h
pod/etcd-51-0a50338-01                      1/1     Running   5          23h
pod/kube-apiserver-51-0a50338-01            1/1     Running   5          23h
pod/kube-controller-manager-51-0a50338-01   1/1     Running   6          23h
pod/kube-proxy-xxhrr                        1/1     Running   5          23h
pod/kube-scheduler-51-0a50338-01            1/1     Running   6          23h
pod/kubernetes-dashboard-7945d586d8-s8qh8   1/1     Running   0          8m


NAME                           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
service/calico-typha           ClusterIP   10.109.205.33   <none>        5473/TCP        23h
service/kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP   23h
service/kubernetes-dashboard   NodePort    10.97.15.51     <none>        443:32060/TCP   8m

NAME                         DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                 AGE
daemonset.apps/calico-node   1         1         1       1            1           beta.kubernetes.io/os=linux   23h
daemonset.apps/kube-proxy    1         1         1       1            1           <none>                        23h

NAME                                   DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/calico-typha           0         0         0            0           23h
deployment.apps/coredns                2         2         2            2           23h
deployment.apps/kubernetes-dashboard   1         1         1            1           8m

NAME                                              DESIRED   CURRENT   READY   AGE
replicaset.apps/calico-typha-db64dbf86            0         0         0       23h
replicaset.apps/coredns-6f685fffbf                2         2         2       23h
replicaset.apps/kubernetes-dashboard-7945d586d8   1         1         1       8m

Create an admin role's yaml file: admin-role.yaml
https://rootsongjc.gitbooks.io/kubernetes-handbook/guide/auth-with-kubeconfig-or-token.html
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: admin
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
Create a new admin's token
$ kubectl create -f admin-role.yaml
$ kubectl -n kube-system get secret | grep admin-token
admin-token-2rl79                                kubernetes.io/service-account-token   3      73m 

$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-token | awk '{print $1}')
$ kubectl -n kube-system describe secret admin-token-2rl79
Name:         admin-token-2rl79
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin
              kubernetes.io/service-account.uid: 5def3667-b28e-11e9-a95a-e0cb4ed86372

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Or use this way to get token:
$ kubectl -n kube-system get secret admin-token-2rl79 -o jsonpath={.data.token}|base64 -d
Because we use NodePort to connect the dashboard service, so we need to get the port
$ kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
calico-typha           ClusterIP   10.109.205.33   <none>        5473/TCP        24h
kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP   24h
kubernetes-dashboard   NodePort    10.97.15.51     <none>        443:32060/TCP   145m
Connect to your dashboard:
https://<<your master node's ip>>:32060
We use this token to login dashboard:


 Then we can see the content as follows:


P.S:
Here are some debug commands for reference:
$ kubectl get secret,sa,role,rolebinding,services,deployments --namespace=kube-system | grep kubernetes-dashboard-admin

$ kubectl delete deployment kubernetes-dashboard --namespace=kube-system \
  && kubectl delete service kubernetes-dashboard  --namespace=kube-system \
  && kubectl delete role kubernetes-dashboard-minimal --namespace=kube-system \
  && kubectl delete rolebinding kubernetes-dashboard-minimal --namespace=kube-system \
  && kubectl delete sa kubernetes-dashboard --namespace=kube-system \
  && kubectl delete secret kubernetes-dashboard-certs --namespace=kube-system \
  && kubectl delete secret kubernetes-dashboard-key-holder --namespace=kube-system
Ref:
https://www.sunmite.com/docker/use-kubeadmin-deploy-kubernetes.html

-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)