Kubernetes加入集群的TOKEN值过期

当Kubernetes集群的master节点init完成后，会输出join命令，以便用户用来将其他节点加入，如下

COPYkubeadm join 192.168.1.11:6443 --token abcdef.0123456789abcdef \
    --discovery-token-ca-cert-hash sha256:063cf8ade66033addf58f5d1a453aab0b1ec5ff023327bc10156935875baa7ad 

而如上命令的token值的有效期只有24小时，通过以下命令查看，TTL就是token的有效时长

COPY$ kubeadm token list
TOKEN         TTL         EXPIRES           USAGES                   DESCRIPTION                  EXTRA GROUPS
2tmuf8.gi...  23h   2021-01-25T1...   authentication,signing   The default bootstrap...     system:bootstrappers:...

当init后的这个token过期之后应该怎么让新的节点重新加入集群

加入新的master节点

这里有一点需要注意，如果部署集群进行init时未指定controlPlaneEndpoint，则不能加入新的master，一般该项的值为Keepalived VIP，或者某一台master的ip:6443也就是集群的api地址即可，否则在加入新的master时会报错。

添加controlPlaneEndpoint

如果集群中只有一个master节点，可以在kube-apiserver中添加controlPlaneEndpoint参数，该参数的值为master节点ip。

如果是多master则跳过

COPY$ kubectl edit cm -n kube-system kubeadm-config
apiVersion: v1
data:
  ClusterConfiguration: |
    apiServer:
      extraArgs:
        authorization-mode: Node,RBAC
      timeoutForControlPlane: 4m0s
    apiVersion: kubeadm.k8s.io/v1beta2
    certificatesDir: /etc/kubernetes/pki
    clusterName: kubernetes
    controllerManager: {}
    dns:
      type: CoreDNS
    etcd:
      local:
        dataDir: /var/lib/etcd
    imageRepository: registry.aliyuncs.com/google_containers
    kind: ClusterConfiguration
    kubernetesVersion: v1.18.1
# 这个位置添加apiserver的地址即可
    controlPlaneEndpoint: "192.168.1.11:6443"
    ...

生成添加master命令

COPY# 要用到certificate-key，所以先生成certificate-key
$ kubeadm init phase upload-certs --upload-certs 
I0217 01:23:50.056394   19222 version.go:252] remote version is much newer: v1.20.2; falling back to: stable-1.18
W0217 01:23:52.864011   19222 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
[upload-certs] Using certificate key:
0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9

$ kubeadm token create --print-join-command --certificate-key=0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9
W0217 01:24:22.855390   23471 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
# 在待加入节点执行以下这条命令即可加入集群成为master
kubeadm join 192.168.1.11:6443 --token 0ysckj.3vtjwoa28dw1z8xz     --discovery-token-ca-cert-hash sha256:c31906addf05434a967d68eb04a81fad38e90c04f2a86b899b5e41b1f919d3ae     --control-plane --certificate-key 0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9

加入新的node节点

COPY$ kubeadm token create --print-join-command
W0217 01:11:55.754155   73469 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
# 在待加入节点执行以下这条命令，将会以node的身份加入集群
kubeadm join 192.168.1.11:6443 --token 67v2qk.vhylz26xsgwk5f2h     --discovery-token-ca-cert-hash sha256:c31906addf05434a967d68eb04a81fad38e90c04f2a86b899b5e41b1f919d3ae

当然也可以使用加入新master的方法生成的命令加入新node，只要不加--control-plane --certificate-key 0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9这部分即可。

建议

无论是搭建单master集群还是多master集群，都加上controlPlaneEndpoint参数

链接： https://www.feiyiblog.com/2021/02/17/Kubernetes%E5%8A%A0%E5%85%A5%E9%9B%86%E7%BE%A4%E7%9A%84TOKEN%E5%80%BC%E8%BF%87%E6%9C%9F/