Dashboard使用自定义证书

Dashboard使用自定义证书

Kubernetes Dashboard的默认配置中,挂载的是一个空证书,浏览器访问时会一直提示非安全连接,访问时需要添加例外,部分情况下特别麻烦:

Dashboard使用自定义证书_第1张图片

为解决此问题,我们需要为Dashboard提供完整的TLS证书。这里使用自签名证书来演示:

1、创建自签名CA

[root@k8s-master tls]# pwd
/root/kubernetes/yml/tls

--- 生成私钥 ---
[root@k8s-master tls]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
..............+++
............................................+++
e is 65537 (0x10001)

--- 生成自签名证书 ---
[root@k8s-master tls]# openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj "/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=CA"

--- 查看CA内容 ---
[root@k8s-master tls]# openssl x509 -in ca.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10690141216836748417 (0x945b02cc44510481)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=HB, L=WH, O=DM, OU=YPT, CN=CA
        Validity
            Not Before: Aug  7 09:03:50 2018 GMT
            Not After : Aug  4 09:03:50 2028 GMT
        Subject: C=CN, ST=HB, L=WH, O=DM, OU=YPT, CN=CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:b9:a0:5d:a2:e6:17:0a:19:4b:5a:ac:2d:65:
                    32:ac:cc:ee:df:fb:37:ff:c7:83:a3:b3:ab:5a:9f:
                    73:24:de:e8:09:e3:eb:f3:cf:72:f8:9e:c4:39:3e:
                    78:6b:09:b8:49:8a:11:2b:b8:75:98:68:db:84:7d:
                    90:bd:f2:ad:52:35:89:73:e6:d9:9c:90:49:ba:c6:
                    06:ea:1f:ca:13:aa:2e:bb:1e:92:7d:5d:c4:d9:ea:
                    da:1c:e1:3a:43:f2:77:87:e9:5d:5c:b0:93:02:f3:
                    26:78:ac:41:c3:90:66:9f:89:38:5a:4e:f7:34:00:
                    16:db:b8:63:c2:c2:12:23:ab:27:da:97:b3:13:1d:
                    66:2d:4b:2e:2e:25:b6:6a:49:60:df:12:3c:95:1b:
                    2f:37:df:8f:7d:7a:83:53:a3:cf:a1:52:d6:bd:9b:
                    5f:25:bd:a6:cf:70:f2:27:f0:ed:00:90:cd:dc:16:
                    21:6d:a3:f7:ad:88:30:4d:66:f9:32:8c:d2:da:53:
                    77:65:88:2b:8a:ef:8b:8d:e5:a1:27:c2:d6:d6:2a:
                    ea:40:30:90:ea:b1:f5:35:66:e0:d9:9d:42:b0:51:
                    74:01:60:3c:b9:28:f3:4c:e1:17:aa:cc:40:0a:e3:
                    7e:06:9d:1c:57:99:0c:03:9e:d8:67:bc:6a:db:71:
                    1d:6d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                99:54:11:DA:DF:02:9D:7F:B6:0D:43:43:C3:14:0E:79:03:27:27:0C
            X509v3 Authority Key Identifier: 
                keyid:99:54:11:DA:DF:02:9D:7F:B6:0D:43:43:C3:14:0E:79:03:27:27:0C

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         8f:71:81:1b:91:08:a7:3a:45:5f:f0:22:a5:b9:43:67:1a:78:
         9c:3e:ea:a3:3e:fc:6b:49:e4:90:61:41:b9:ce:f5:ca:17:49:
         ca:2b:ba:94:70:83:4f:d1:12:1e:ae:0d:f2:c8:b0:73:8e:c2:
         05:5f:5c:d9:fa:be:30:e3:6e:f0:3e:f9:8c:b5:65:ff:7d:8e:
         55:71:9b:d0:7d:71:63:79:aa:69:fe:9f:7c:6f:b5:ca:a2:55:
         e1:9c:47:f0:35:00:73:89:58:3c:09:f4:53:ab:68:83:7d:b3:
         d5:50:81:9b:7d:67:3f:ba:dd:e9:eb:87:e0:cd:2c:9c:00:49:
         b9:06:81:32:7b:93:04:cd:8b:4e:4b:82:a0:26:8a:bb:7f:5c:
         19:bc:f9:b4:c0:cc:66:a5:1f:17:00:aa:8c:b5:7d:db:5d:0b:
         e7:b6:0f:07:de:b0:36:b6:7c:a0:15:8e:58:1d:5b:d4:94:f2:
         6c:1d:80:fa:1a:96:02:f2:8a:5d:cf:3d:0e:46:5e:8c:88:a5:
         ed:eb:50:ac:3c:d8:ac:7d:b8:77:52:55:e7:c1:dd:fd:d0:81:
         4c:56:8e:8b:2d:69:2c:41:a9:a1:c5:4c:0d:e2:e0:e0:cd:e5:
         d5:83:7c:5e:40:45:81:a7:ae:54:56:c8:15:8b:f3:98:60:f9:
         27:be:9c:fc

2、签发Dashboard证书

--- 生成私钥 ---
[root@k8s-master tls]# openssl genrsa -out dashboard.key 2048
Generating RSA private key, 2048 bit long modulus
.....+++
.....+++
e is 65537 (0x10001)

--- 申请签名请求 ---
[root@k8s-master tls]# openssl req -new -sha256 -key dashboard.key -out dashboard.csr -subj "/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=192.168.119.160"

--- 配置文件 ---
[root@k8s-master tls]# cat dashboard.cnf 
extensions = san
[san]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = IP:192.168.119.160,IP:127.0.0.1,DNS:192.168.119.160,DNS:localhost

--- 签发证书 ---
[root@k8s-master tls]# openssl x509 -req -sha256 -days 3650 -in dashboard.csr -out dashboard.crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile dashboard.cnf
Signature ok
subject=/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=192.168.119.160
Getting CA Private Key

--- 查看证书 ---
[root@k8s-master tls]# openssl x509 -in dashboard.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11439967281257568671 (0x9ec2eda17972d99f)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=HB, L=WH, O=DM, OU=YPT, CN=CA
        Validity
            Not Before: Aug  7 09:17:23 2018 GMT
            Not After : Aug  4 09:17:23 2028 GMT
        Subject: C=CN, ST=HB, L=WH, O=DM, OU=YPT, CN=192.168.119.160
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bb:63:10:8c:44:d4:98:a7:64:7f:22:77:39:4c:
                    2b:76:19:0d:bd:21:4c:05:37:1a:23:5c:0e:cd:b3:
                    2b:ec:74:69:21:a5:01:db:5d:ee:54:cc:28:12:9f:
                    eb:09:df:fc:f7:01:a7:00:1a:ba:d0:fc:85:6e:30:
                    94:7a:9d:f3:3e:26:15:6c:8d:b2:21:0f:6b:bf:db:
                    5c:8c:37:2c:58:43:9c:37:bd:c4:ef:2e:71:83:c7:
                    7c:cb:70:7c:ba:68:0f:7c:e8:88:ab:3c:de:77:84:
                    51:47:3d:bb:18:c9:2f:f6:6a:c1:19:01:39:b1:c8:
                    0c:4f:6d:41:be:7e:1d:b7:42:3a:d8:70:1c:53:88:
                    86:14:21:e1:d3:e8:a7:fa:40:27:4d:ac:dc:9e:22:
                    23:72:19:ba:2b:bc:db:93:99:a9:f9:97:df:61:69:
                    2a:25:f0:39:5b:14:18:89:38:0b:1e:03:69:ff:f9:
                    c6:f0:15:43:2f:d5:51:34:82:52:6d:66:62:ec:07:
                    d3:19:a9:62:79:76:08:2c:8b:93:2c:ca:3b:aa:99:
                    7c:6a:7a:68:c2:ca:3c:89:2a:d8:68:8f:65:4c:54:
                    42:c1:ea:dc:15:47:23:e7:37:e4:57:c8:3c:ee:81:
                    99:5c:ac:5d:19:f1:6c:55:b2:f2:c3:df:e3:c7:7a:
                    5b:f3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                53:71:8D:59:82:8E:99:D8:F9:FE:FE:BC:77:D1:4C:AE:7A:FD:A0:E3
            X509v3 Authority Key Identifier: 
                keyid:99:54:11:DA:DF:02:9D:7F:B6:0D:43:43:C3:14:0E:79:03:27:27:0C

            X509v3 Subject Alternative Name: 
                IP Address:192.168.119.160, IP Address:127.0.0.1, DNS:192.168.119.160, DNS:localhost
    Signature Algorithm: sha256WithRSAEncryption
         71:39:ee:91:1c:71:e7:63:f6:f4:c5:42:59:e8:23:f7:fa:37:
         ea:af:75:a1:55:7b:d7:87:a1:43:0b:5f:f7:75:e6:de:77:e5:
         3f:ec:19:ee:8c:bb:fd:f7:2b:3c:e2:4c:a3:f6:05:01:df:7a:
         b4:b0:1a:3a:d3:42:d6:81:54:df:bd:21:f2:8e:53:52:d7:15:
         43:84:d6:7d:4c:d9:c7:84:28:e9:2b:90:93:94:8c:76:58:38:
         24:2e:17:96:7f:7d:92:58:a4:40:59:5c:62:c4:69:b4:b8:2d:
         8a:e3:58:b9:21:a5:bd:9a:c9:09:32:16:43:af:1b:9c:7d:2e:
         37:80:46:f0:dd:67:9f:25:e9:2f:15:dc:6a:3a:9f:be:fc:32:
         76:d4:35:22:e6:3b:66:84:9d:24:5c:59:c4:b9:64:7b:c5:0d:
         87:65:cf:61:48:e9:de:54:3d:8c:21:03:e9:31:08:87:53:09:
         26:36:79:61:94:ce:3f:73:35:b3:59:67:12:27:ce:31:d3:e4:
         0a:ff:8a:29:e4:f7:01:fe:62:a9:7c:18:7f:5e:71:5e:6e:24:
         24:6b:58:8f:b1:19:ae:04:12:50:05:11:ba:38:dd:bc:f7:c5:
         1c:ae:27:47:1e:76:0e:a1:25:e2:4f:b7:7c:d6:b4:35:01:29:
         a5:67:86:ca

3、挂载证书到Dashboard

--- 删除已经部署的dashboard ---
[root@k8s-master yml]# kubectl delete -f kubernetes-dashboard.yml 
secret "kubernetes-dashboard-certs" deleted
serviceaccount "kubernetes-dashboard" deleted
role "kubernetes-dashboard-minimal" deleted
rolebinding "kubernetes-dashboard-minimal" deleted
deployment "kubernetes-dashboard" deleted
service "kubernetes-dashboard" deleted

--- 创建 secret "kubernetes-dashboard-certs" ---
[root@k8s-master yml]# kubectl create secret generic kubernetes-dashboard-certs --from-file="tls/dashboard.crt,tls/dashboard.key" -n kube-system 
secret "kubernetes-dashboard-certs" created

--- 查看secret内容 ---
[root@k8s-master yml]# kubectl get secret kubernetes-dashboard-certs -n kube-system -o yaml
apiVersion: v1
data:
  dashboard.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwVENDQXJtZ0F3SUJBZ0lKQUo3QzdhRjVjdG1mTUEwR0NTcUdTSWIzRFFFQkN3VUFNRTh4Q3pBSkJnTlYKQkFZVEFrTk9NUXN3Q1FZRFZRUUlEQUpJUWpFTE1Ba0dBMVVFQnd3Q1YwZ3hDekFKQmdOVkJBb01Ba1JOTVF3dwpDZ1lEVlFRTERBTlpVRlF4Q3pBSkJnTlZCQU1NQWtOQk1CNFhEVEU0TURnd056QTVNVGN5TTFvWERUSTRNRGd3Ck5EQTVNVGN5TTFvd1hERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRSERBSlgKU0RFTE1Ba0dBMVVFQ2d3Q1JFMHhEREFLQmdOVkJBc01BMWxRVkRFWU1CWUdBMVVFQXd3UE1Ua3lMakUyT0M0eApNVGt1TVRZd01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdTJNUWpFVFVtS2RrCmZ5SjNPVXdyZGhrTnZTRk1CVGNhSTF3T3piTXI3SFJwSWFVQjIxM3VWTXdvRXAvckNkLzg5d0duQUJxNjBQeUYKYmpDVWVwM3pQaVlWYkkyeUlROXJ2OXRjakRjc1dFT2NONzNFN3k1eGc4ZDh5M0I4dW1nUGZPaUlxenplZDRSUgpSejI3R01rdjltckJHUUU1c2NnTVQyMUJ2bjRkdDBJNjJIQWNVNGlHRkNIaDAraW4ra0FuVGF6Y25pSWpjaG02Cks3emJrNW1wK1pmZllXa3FKZkE1V3hRWWlUZ0xIZ05wLy9uRzhCVkRMOVZSTklKU2JXWmk3QWZUR2FsaWVYWUkKTEl1VExNbzdxcGw4YW5wb3dzbzhpU3JZYUk5bFRGUkN3ZXJjRlVjajV6ZmtWOGc4N29HWlhLeGRHZkZzVmJMeQp3OS9qeDNwYjh3SURBUUFCbzRHaU1JR2ZNQXNHQTFVZER3UUVBd0lIZ0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGCkJRY0RBZ1lJS3dZQkJRVUhBd0V3SFFZRFZSME9CQllFRkZOeGpWbUNqcG5ZK2Y3K3ZIZlJUSzU2L2FEak1COEcKQTFVZEl3UVlNQmFBRkpsVUVkcmZBcDEvdGcxRFE4TVVEbmtESnljTU1ERUdBMVVkRVFRcU1DaUhCTUNvZDZDSApCSDhBQUFHQ0R6RTVNaTR4TmpndU1URTVMakUyTUlJSmJHOWpZV3hvYjNOME1BMEdDU3FHU0liM0RRRUJDd1VBCkE0SUJBUUJ4T2U2UkhISG5ZL2IweFVKWjZDUDMramZxcjNXaFZYdlhoNkZEQzEvM2RlYmVkK1UvN0JudWpMdjkKOXlzODRreWo5Z1VCMzNxMHNCbzYwMExXZ1ZUZnZTSHlqbE5TMXhWRGhOWjlUTm5IaENqcEs1Q1RsSXgyV0RnawpMaGVXZjMyU1dLUkFXVnhpeEdtMHVDMks0MWk1SWFXOW1za0pNaFpEcnh1Y2ZTNDNnRWJ3M1dlZkpla3ZGZHhxCk9wKysvREoyMURVaTVqdG1oSjBrWEZuRXVXUjd4UTJIWmM5aFNPbmVWRDJNSVFQcE1RaUhVd2ttTm5saGxNNC8KY3pXeldXY1NKODR4MCtRSy80b3A1UGNCL21LcGZCaC9YbkZlYmlRa2ExaVBzUm11QkJKUUJSRzZPTjI4OThVYwpyaWRISG5ZT29TWGlUN2Q4MXJRMUFTbWxaNGJLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  dashboard.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdTJNUWpFVFVtS2RrZnlKM09Vd3JkaGtOdlNGTUJUY2FJMXdPemJNcjdIUnBJYVVCCjIxM3VWTXdvRXAvckNkLzg5d0duQUJxNjBQeUZiakNVZXAzelBpWVZiSTJ5SVE5cnY5dGNqRGNzV0VPY043M0UKN3k1eGc4ZDh5M0I4dW1nUGZPaUlxenplZDRSUlJ6MjdHTWt2OW1yQkdRRTVzY2dNVDIxQnZuNGR0MEk2MkhBYwpVNGlHRkNIaDAraW4ra0FuVGF6Y25pSWpjaG02Szd6Yms1bXArWmZmWVdrcUpmQTVXeFFZaVRnTEhnTnAvL25HCjhCVkRMOVZSTklKU2JXWmk3QWZUR2FsaWVYWUlMSXVUTE1vN3FwbDhhbnBvd3NvOGlTcllhSTlsVEZSQ3dlcmMKRlVjajV6ZmtWOGc4N29HWlhLeGRHZkZzVmJMeXc5L2p4M3BiOHdJREFRQUJBb0lCQUVnZHVoS2hzc2dGTkJJUgpxNXlyaWRacmtmUUZ5b0gvVU5ubTVmT1lUd0V6VS9xVXpJQW1TRUR1U1VYUnNkMGREUGZxOU9CL2FRSmhET0Q1ClpVdERXb2ZDbEdBd3NDczFDaHpPU1hIVkVnWHVEME1NajZ3VlRhNlBxYUdKNnhhNlVhdWF1bTVjZ0tteWpLMUUKUHFzdFVuNGRXNjlKMzNCaU13cW1XN1Q2U0dsc00vNmlVTElWdGpXclJkOUZrRU40SVkyUHBsRmhZckRvNEQveQpVQlBUK0laQjJ5b0Z6VDRDQ0JZZkVDOC9WT3lzSVN2ajhWbW5lbStaZy96aVdkQzBmZzY5U3JQRzBUYStQZmdJCjJHUzNBcGQxdGJ3YUhzL01UV0UvR1dQRzZtVm92dkVwTUorek9wR2lMZDBVVVdRaEpZeUpIT3hZRkVKWHNrYTYKQ2RZL09wRUNnWUVBOXFnNDFWNTBWNGxUNWViMExxbWUzeGJFTVA3MHp3SkhJOFpKQ0pwSi9HR2lNYlB2dm5FYwpKMlVIMkdFOEgrQ1JCakZyRzRIcCttSlNzdFlDTUpGclU1bmpTZ3BRdXJCY3pTdXFqSkFUcWV1UUhVZkpkUXdwCjFydXR2YnBSZGtmTVJPK0NDbGkxSDdPNW1YWGo0NkoxNjF4aHhFWUtLYWdHU3BCUkJQUFNPdmNDZ1lFQXdud2QKRG9VZkpBTlBJcnV4ZUJ0VzFTTnQ0T1hzdHd6STJpWUNrbGFNSmI3VWJ1NndBNkdzUGJuT2puMWVvb0dLc0xPNgo0K05VckxVSGZBNzdwaW1LK2kwa2xPZDJVdFhweUdObjJqTm5kK0V0ZmpkZ3pLTWdvN09BQ28zQ1hnM1JJTDBJClVRYjRiUVV1bWRDM2NPYXUvbzNBNk1zKzJRT1ZXTDV5R1pkMUMrVUNnWUFJbW9tUTk4QjdKVEVsL2M1YXFsUCsKV0I3enpwRGZmNmJYbXAwRmpjd3kzM3oyMnQzcitLb1F2YmR1VnNYd0hyY3dUaHo4VXFYRXRCVktZNmlqNVE2bgpWZURWdmxKZWtMUkwrOC94SXoxc1dla20vRkFNb3lYNmRZVno3c0hVckdCMXJ4ME1HMWdHQ1JEYVI0Qnhla00rCnVIUTRrbkRjVHg0WkQ3dWp2cFdBdFFLQmdCc3hGVEx4ZytBYUlsZGQzTHRKUDBPL2wxNUpaMlpVZ0VTWDZlWWgKK2FoUlhReEJqUlNFNXpzZUhuWW5xektYWUJmQ21VL0JlaFpIblV0SUlRRWpiODM0djlPZDVScEIxRlR6S1JNRgordUowOWxKZVZjZG15MnAzNzJBS1gvR2NodS9IM2tETjg2L3llSWlDK1JMcy9leVRUelI5TGtWVFRlOUJlVnlBCm81bk5Bb0dBTCsxYk4rTDVmRG5YS2RzdlYrSkdUM3pBT3BPdCsySndGc0huWTdacVFmV3NFcVFITE53c0VzNk4Kb3kxU3g1T0I1K0owaWlhampPS0dlQzl3Z1Y3dFNxNkJieUoxQnZSc1Ewb20yZGg2RGVIQ0pDN0VZQnhWb2oxQwpVMSszTXVBZHJvOE45R1BtRHZYdlhvTkhRVnBQTTlEQTJ4UDZZTkZuVEZKN1NVRTRRcDA9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
  creationTimestamp: 2018-08-07T09:22:53Z
  name: kubernetes-dashboard-certs
  namespace: kube-system
  resourceVersion: "22645"
  selfLink: /api/v1/namespaces/kube-system/secrets/kubernetes-dashboard-certs
  uid: 7649dc00-9a23-11e8-81c9-005056322159
type: Opaque

--- 重新部署dashboard ---
[root@k8s-master yml]# kubectl apply -f kubernetes-dashboard.yml 
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
secret "kubernetes-dashboard-certs" configured
serviceaccount "kubernetes-dashboard" created
role "kubernetes-dashboard-minimal" created
rolebinding "kubernetes-dashboard-minimal" created
deployment "kubernetes-dashboard" created
service "kubernetes-dashboard" created

此时可以通过浏览器检查Dashboard证书是否生效:

Dashboard使用自定义证书_第2张图片

4、导入CA到客户端操作系统

--- 从服务器上下载CA ---
LiondeMacBook-Pro:Desktop lion$ scp root@192.168.119.160:/root/kubernetes/yml/tls/ca.crt .
ca.crt                                                                      100% 1253     1.8MB/s   00:00  

不同的操作系统导入步骤大同小异,Firefox需要通过浏览器本身进行导入;Mac导入之后需要设置信任选项

Dashboard使用自定义证书_第3张图片

如果你的证书是有效的 Public trusted CA ,你大可不必导入到任何操作系统!

5、访问测试

Dashboard使用自定义证书_第4张图片

6、参考资料

  • https://github.com/kubernetes/dashboard/wiki/Certificate-management#public-trusted-certificate-authority

你可能感兴趣的:(学习整理)