2. 科技
    3. K8S网站页面的搭建与证书优化配置

    K8S网站页面的搭建与证书优化配置

    科技2026-01-18  13

    一、下载官方的YAML 文件

    五个文件各自的作用

    dashboard-configmap.yaml ## 配置文件

    dashboard-deployment.yaml ## 部署

    dashboard-rbac.yaml 授权管理 一般来说要绑定角色

    dashboard-secrect.yaml 安全,证书验证

    dashboard-service.yaml 核心功能 提供web的

    dashboard-controller.yaml ## 控制

    官方文件下载位置:https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dashboard/dashboard.yaml

    现在官方已经将5个文件合为一个文件

    二、利用YAML文件进行服务配置

    在master01上操作 [root@master01 k8s]# mkdir dashboard //拷贝官方的文件 [root@master01 dashboard]# ls dashboard-configmap.yaml dashboard-rbmasac.yaml dashboard-service.yaml dashboard-controller.yaml dashboard-secret.yaml k8s-admin.yaml ## 要注意顺序 [root@master01 dashboard]# kubectl create -f dashboard-rbac.yaml role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created [root@master01 dashboard]# kubectl create -f dashboard-secret.yaml secret/kubernetes-dashboard-certs created secret/kubernetes-dashboard-key-holder created [root@master01 dashboard]# kubectl create -f dashboard-configmap.yaml configmap/kubernetes-dashboard-settings created [root@master01 dashboard]# kubectl create -f dashboard-controller.yaml serviceaccount/kubernetes-dashboard created deployment.apps/kubernetes-dashboard created [root@master01 dashboard]# kubectl create -f dashboard-service.yaml service/kubernetes-dashboard created

    2.1 完成后查看创建在指定的kube-system命名空间下

    [root@localhost ~]# kubectl get pods -n kube-system -o wide kubernetes-dashboard-7dffbccd68-zqfwq 1/1 Running 0 3h10m 172.17.48.3 192.168.233.200 <none> [root@localhost ~]# kubectl get pods,svc -n kube-system NAME READY STATUS RESTARTS AGE pod/kubernetes-dashboard-7dffbccd68-zqfwq 1/1 Running 0 3h7m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes-dashboard NodePort 10.0.0.246 <none> 443:30001/TCP 3h9m

    2.2 访问https://192.168.233.200:30001

    三、证书的制作

    [root@master01 dashboard]# vim dashboard-cert.sh cat > dashboard-csr.json <<EOF { "CN": "Dashboard", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF K8S_CA=$1 cfssl gencert -ca=$K8S_CA/ca.pem -ca-key=$K8S_CA/ca-key.pem -config=$K8S_CA/ca-config.json -profile=kubernetes dashboard-csr.json | cfssljson -bare dashboard kubectl delete secret kubernetes-dashboard-certs -n kube-system kubectl create secret generic kubernetes-dashboard-certs --from-file=./ -n kube-system

    3.1 修改dashboard-controller.yaml

    [root@master01 dashboard]# vim dashboard-controller.yaml args: # PLATFORM-SPECIFIC ARGS HERE - --auto-generate-certificates - --tls-key-file=dashboard-key.pem # 指定证书密钥 - --tls-cert-file=dashboard.pem ## 指定证书

    3.2 生成证书

    [root@master01 dashboard]# bash dashboard-cert.sh /root/k8s/k8s-cert/ ##生成 dashboard证书时需要ca等证书, 指定证书位置 2020/10/09 09:55:52 [INFO] generate received request 2020/10/09 09:55:52 [INFO] received CSR 2020/10/09 09:55:52 [INFO] generating key: rsa-2048 2020/10/09 09:55:52 [INFO] encoded CSR 2020/10/09 09:55:52 [INFO] signed certificate with serial number 462856100749830270426960605715828341005357971875 2020/10/09 09:55:52 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). secret "kubernetes-dashboard-certs" deleted secret/kubernetes-dashboard-certs created

    3.3 更新 dashboard-controller.yaml 配置

    [root@master01 dashboard] kubectl apply -f dashboard-controller.yaml Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply serviceaccount/kubernetes-dashboard configured Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply deployment.apps/kubernetes-dashboard configured ## 如果更新失败,无法检测到配置文件的变动 [root@localhost dashboard]# kubectl delete -f dashboard-controller.yaml ## 先删除 serviceaccount "kubernetes-dashboard" deleted deployment.apps "kubernetes-dashboard" deleted [root@localhost dashboard]# kubectl create -f dashboard-controller.yaml ## 再重新创建 serviceaccount/kubernetes-dashboard created deployment.apps/kubernetes-dashboard created ## 操作完成后需要检查pod分配的节点是否发生变化

    3.4 再次访问https://192.168.233.200:30001

    四、生成登录令牌

    [root@master01 dashboard]# kubectl create -f k8s-admin.yaml serviceaccount/dashboard-admin created clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created [root@master01 dashboard]# kubectl get secret -n kube-system NAME TYPE DATA AGE dashboard-admin-token-6qpjc kubernetes.io/service-account-token 3 58s default-token-2w7ds kubernetes.io/service-account-token 3 9d kubernetes-dashboard-certs Opaque 11 2m27s kubernetes-dashboard-key-holder Opaque 2 10m kubernetes-dashboard-token-7hzbj kubernetes.io/service-account-token 3 4m15s [root@master01 dashboard]# kubectl describe secret dashboard-admin-token-6qpjc -n kube-system ## 查看令牌 Name: dashboard-admin-token-6qpjc Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: dashboard-admin kubernetes.io/service-account.uid: c4d50908-09d2-11eb-b611-000c292f7bdc Type: kubernetes.io/service-account-token Data ==== ca.crt: 1359 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tNnFwamMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYzRkNTA5MDgtMDlkMi0xMWViLWI2MTEtMDAwYzI5MmY3YmRjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.EstYlqaH9VMpxR-Q4ESz-1xz2VpuhLdNZ7pSp3H9bgfWfib0noA93UB7bJdbKxfbr5fzqc7qGNZMQ9q0n-MA1u95UzuxpzCRgVW08Tgg6uIDapQ2j9BMXBKLYfobMYEgInJVyufGKHklrXdfXoaB-O5V6m7QxLMsgVqS_TuO6QYQYdNt_HpEGutL1ohYaj0dk37bvAvLAys89gMAcP_x1EGLx7LY6g-4CzSvOIRndWE7e5hTg29uPqmqEJMYd4lr_k_3j3AVJxSXRdPjuGsCXbh6NjTy5K0FAOW596qDJUHA2-06LxdMeEl3I3WqCRc5RqvdmE9u42VSpBp5bJqAUw ## 这就是登录令牌

    4.1 复制粘贴令牌 登录

    Processed: 0.017, SQL: 9