I'm currently deploying a K8S cluster through Rancher RKE using AWS EC2 virtual machines (with CentOS 7 and Docker 17.03.2-ce). Unfortunately after depolying K8S dashboard, I'm not been able to access it from external, through API SERVER (https://API-server-ip:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/). Service are up and running without problems:
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 1h
ingress-nginx default-http-backend ClusterIP 10.43.76.101 <none> 80/TCP 1h
kube-system kube-dns ClusterIP 10.43.0.10 <none> 53/UDP,53/TCP 1h
kube-system kubernetes-dashboard ClusterIP 10.43.198.196 <none> 443/TCP 1h
I saw that PEM certificate have been already created within /etc/kubernetes/ssl of the API SERVER machine:
-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-apiserver-key.pem
-rw-r--r--. 1 root root 1302 Apr 19 09:19 kube-apiserver.pem
-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-ca-key.pem
-rw-r--r--. 1 root root 1017 Apr 19 09:19 kube-ca.pem
-rw-r--r--. 1 root root 493 Apr 19 09:19 kubecfg-kube-controller-manager.yaml
-rw-r--r--. 1 root root 437 Apr 19 09:19 kubecfg-kube-node.yaml
-rw-r--r--. 1 root root 441 Apr 19 09:19 kubecfg-kube-proxy.yaml
-rw-r--r--. 1 root root 457 Apr 19 09:19 kubecfg-kube-scheduler.yaml
-rw-r--r--. 1 root root 1675 Apr 19 09:19 kube-controller-manager-key.pem
-rw-r--r--. 1 root root 1062 Apr 19 09:19 kube-controller-manager.pem
-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-etcd-<...>-compute-amazonaws-com-key.pem
-rw-r--r--. 1 root root 1298 Apr 19 09:19 kube-etcd-<...>-us-east-2-compute-amazonaws-com.pem
-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-node-key.pem
-rw-r--r--. 1 root root 1070 Apr 19 09:19 kube-node.pem
-rw-r--r--. 1 root root 1675 Apr 19 09:19 kube-proxy-key.pem
-rw-r--r--. 1 root root 1046 Apr 19 09:19 kube-proxy.pem
-rw-r--r--. 1 root root 1675 Apr 19 09:19 kube-scheduler-key.pem
-rw-r--r--. 1 root root 1050 Apr 19 09:19 kube-scheduler.pem
I tried to use kube-apiserver-key.pem as key to generate a client certificate openssl req -new -key /etc/kubernetes/ssl/kube-apiserver-key.pem -out /tmp/user-cert.pem and eventually use it to access. Unfortunately the generated certificate is resulted to be in invalid format (I tried both to install on MacOS X and on SSL online validator.
Any help?
After several digging I managed to found a solution.
In the generate RKE kubeconfig generated file, both client-certificate-data and client-key-data are present as base64 encoded keys for kube-admin.
In order to use them in my client browser I had first to decode them for obtaining the respective certificate and key
echo '<KUBE_ADMIN_CLIENT_CERTIFICATE_DATA>' | base64 --decode > kube-admin-cert.pem
echo '<KUBE_ADMIN_CLIENT_KEY_DATA>' | base64 --decode > kube-admin-cert-key.pem
Once the certificates have been generated it's possibile to extract the correspondant .p12 certificate file
openssl pkcs12 -export -clcerts -inkey kube-admin-cert-key.pem -in kube-admin-cert.pem -out kube-admin-cert.p12
Eventually, once the p12 certificate has been installed in local client browser, it's possibile to authenticate successfully to the proxy api server.