打开dashboard可视化界面报错（提示证书有误）

根据上一步教程安装kubernetes-dashboard-amd64:v1.10.1 最后浏览器打开会提示签名错误。
使用kubectl logs kubernetes-dashboard-5f7b999d65-8j5n8 --namespace=kube-system查看到错误日志

image
推测kubernetes-dashboard自带签名证书过期了（或者别的原因），下面进行自签证书

• 切换到root用户

sudo su -

• 创建自签名证书
  下面步骤可能会因为/root/.rnd文件找不到报错，直接创建一个touch /root/.rnd

mkdir -p /data/tls && cd /data/tls
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj "/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=CA"
//生成私钥
openssl genrsa -out dashboard.key 2048
//申请签名请求

• 申请签名请求

# ip为dashaboard访问地址ip

export ip=192.168.160.100

openssl req -new -sha256 -key dashboard.key -out dashboard.csr -subj "/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=$ip"

cat >  dashboard.cnf  <<EOF
extensions = san
[san]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = IP:$ip,IP:127.0.0.1,DNS:$ip,DNS:localhost
EOF

• 签发证书

openssl x509 -req -sha256 -days 3650 -in dashboard.csr -out dashboard.crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile dashboard.cnf

---

至此，dashboard证书签发完成，接着就要删除旧的kubernetes-dashboard用新的证书来创建

• 删除旧kubernetes-dashboard

// 方法一：（我用这个方法报错了，所以选了方法二）
kubectl delete -f kubernetes-dashboard.yaml  
// 方法二：(需要手动一条一条删除)
kubectl delete deployment kubernetes-dashboard --namespace=kube-system 
kubectl delete service kubernetes-dashboard  --namespace=kube-system 
kubectl delete role kubernetes-dashboard-minimal --namespace=kube-system 
kubectl delete rolebinding kubernetes-dashboard-minimal --namespace=kube-system
kubectl delete sa kubernetes-dashboard --namespace=kube-system 
kubectl delete secret kubernetes-dashboard-certs --namespace=kube-system
kubectl delete secret kubernetes-dashboard-csrf --namespace=kube-system
kubectl delete secret kubernetes-dashboard-key-holder --namespace=kube-system

• 创建 secret kubernetes-dashboard-certs

kubectl create secret generic kubernetes-dashboard-certs --from-file="/data/tls/dashboard.crt,/data/tls/dashboard.key" -n kube-system 

• 修改kubernetes-dashboard.yaml 文件，注释掉Dashboard Secret 使用自己的签名

# ------------------- Dashboard Secret ------------------- #
#apiVersion: v1
#kind: Secret
#metadata:
#  labels:
#    k8s-app: kubernetes-dashboard
 # name: kubernetes-dashboard-certs
#  namespace: kube-system
#type: Opaque

• 部署dashboard

kubectl create -f kubernetes-dashboard.yaml
kubectl get po -n kube-system

• 至此，使用自建证书创建kubernetes-dashboard步骤已经完成。如果上一步有用k8s-admin-token.yaml文件创建过admin token的可以直接跳过这一步，直接获取token打开浏览器进行登录

  
  image
• 没有创建admin token的需要进行入下操作
  创建k8s-admin-token.yaml文件, 内容如下

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: admin
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile

配置admin token

kubectl create -f k8s-admin-token.yaml

动态获取登录token

kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system

在浏览器中打开打开地址: https://<你的ip>:32288使用token登录,注意如果是使用的云服务器，需要去服务器的安全组策略中放开32288端口