[k8s] 重新加入master节点
默认token的有效期为24小时,当过期之后,该token就不可用了,
默认token的有效期为24小时,当过期之后,该token就不可用了,
如果后续有nodes节点加入,解决方法如下:
重新生成新的token
方式一
在master上执行
kubeadm token create --print-join-command
加上参数可以设置时间--ttl duration
默认值:24h0m0s
生成默认有效期为24小时token,并且打印出加入 master的命令。
[root@a1 ~]# kubeadm token create --print-join-command
kubeadm join 192.168.0.183:6443 --token 7h2qff.z5n4f7dxm9vmg8x9 --discovery-token-ca-cert-hash sha256:3e2786a894fd9ed30bdcedf67731249416cd8064b4c49031eee55e0cdc8c7b1c
[root@a1 ~]# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
7h2qff.z5n4f7dxm9vmg8x9 23h 2022-11-17T05:11:28Z authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
再node节点执行上方打印出来的 kubeadm join
命令
kubeadm join 192.168.0.183:6443 --token 7h2qff.z5n4f7dxm9vmg8x9 --discovery-token-ca-cert-hash
完成
方式二
kubeadm token create
[root@k8s-master ~]# kubeadm token create
0w3a92.ijgba9ia0e3scicg
[root@k8s-master ~]# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
0w3a92.ijgba9ia0e3scicg 23h 2019-09-08T22:02:40+08:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
t0ehj8.k4ef3gq0icr3etl0 22h 2019-09-08T20:58:34+08:00 authentication,signing The default bootstrap token generated by 'kubeadm init'. system:bootstrappers:kubeadm:default-node-token
获取ca证书sha256编码hash值
[root@k8s-master ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
ce07a7f5b259961884c55e3ff8784b1eda6f8b5931e6fa2ab0b30b6a4234c09a
–token:用于Master验证Node身份。
要想集群首次引导启动时,支持bootstrap-token验证,APIServer需要开启下面的配置选项:
--enable-bootstrap-token-auth=true
kubectl get secret -n kube-system|grep bootstrap-token
bootstrap-token-nh819o bootstrap.kubernetes.io/token 7 2d
nh819o是token的id。pzcpohatm7p3a5cm是secret。
当kubeadm join访问APIServer,会在请求的header中携带这一token。APIServer会根据token进行身份验证。
API会查询是否有bootstrap-token的前缀的secret对象。
我们可以查看secret对象的内容。
kubectl get secret/bootstrap-token-nh819o -n kube-system -o yamlapiVersion: v1
data:
auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
description: VGhlIGRlZmF1bHQgYm9vdHN0cmFwIHRva2VuIGdlbmVyYXRlZCBieSAna3ViZWFkbSBpbml0Jy4=
expiration: MjAxOS0wNi0yMFQxMToyNDoyOCswODowMA==
token-id: bmg4MTlv
token-secret: cHpjcG9oYXRtN3AzYTVjbQ==
usage-bootstrap-authentication: dHJ1ZQ==
usage-bootstrap-signing: dHJ1ZQ==
kind: Secret
metadata:
creationTimestamp: 2019-06-19T03:24:28Z
name: bootstrap-token-nh819o
namespace: kube-system
resourceVersion: "160"
selfLink: /api/v1/namespaces/kube-system/secrets/bootstrap-token-nh819o
uid: bea32cfa-9241-11e9-a613-52540095a842
type: bootstrap.kubernetes.io/token
对token-secret进行解码:
echo cHpjcG9oYXRtN3AzYTVjbQ==|base64 -d
pzcpohatm7p3a5cm
这个与token参数的secret值一致。
节点加入集群
[root@k8s-node01 ~]# kubeadm join --token aa78f6.8b4cafc8ed26c34f --discovery-token-ca-cert-hash sha256:0fd95a9bc67a7bf0ef42da968a0d55d92e52898ec37c971bd77ee501d845b538 192.168.73.138:6443 --skip-preflight-check=true
–discovery-token-ca-cert-hash:用于Node验证master身份。
执行join时,API Server会下发ca.crt,这个证书会被node存放在/etc/kubernetes/pki目录下。
然后kubeadm join再用ca设置公钥证书的hash值,与discovery-token-ca-cert-hash的值进行比对。
k8s执行 kubeadm join 加入node节点超时,报错[kubelet-check] Initial timeout of 40s passed.
kubeadm join 172.28.18.69:6443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:6010baa60fc234e60cb353a54b4179afd3205cd6b4fc15f415117a77b6d8ac07
W0109 18:03:24.343831 16537 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.18" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
[kubelet-check] Initial timeout of 40s passed.
error execution phase kubelet-start: error uploading crisocket: timed out waiting for the condition
To see the stack trace of this error execute with --v=5 or higher
显示超时,加入节点失败
node节点执行
kubeadm reset -f
再执行加入
kubeadm join 172.28.18.69:6443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:6010baa60fc234e60cb353a54b4179afd3205cd6b4fc15f415117a77b6d8ac07
删除token
kubeadm token delete [token-value] ...
更多推荐
所有评论(0)