当前位置：网站首页>The TOKEN value of Kubernetes joining the cluster expires

The TOKEN value of Kubernetes joining the cluster expires

2022-07-31 05:32:00 【hunheidaode】

When the init of the master node of the Kubernetes cluster is completed, the join command will be output so that users can use it to join other nodes, as follows

COPYkubeadm join 192.168.1.11:6443 --token abcdef.0123456789abcdef \--discovery-token-ca-cert-hash sha256:063cf8ade66033addf58f5d1a453aab0b1ec5ff023327bc10156935875baa7ad

The validity period of the token value of the above command is only 24 hours. View through the following command, TTL is the validity period of the token

COPY$ kubeadm token listTOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS2tmuf8.gi... 23h 2021-01-25T1... authentication,signing The default bootstrap... system:bootstrappers:...

How should the new node rejoin the cluster when the token after init expires

Add new master node

One thing to note here is that if controlPlaneEndpoint is not specified when deploying the cluster for init, a new master cannot be added. Generally, the value of this item is Keepalived VIP, orThe ip:6443 of a master is the api address of the cluster, otherwise an error will be reported when adding a new master.

Add controlPlaneEndpoint

If there is only one master node in the cluster, you can add the controlPlaneEndpoint parameter in the kube-apiserver. The value of this parameter is the master node ip.
Skip if it is multi-master

COPY$ kubectl edit cm -n kube-system kubeadm-configapiVersion: v1data:ClusterConfiguration: |apiServer:extraArgs:authorization-mode: Node, RBACtimeoutForControlPlane: 4m0sapiVersion: kubeadm.k8s.io/v1beta2certificatesDir: /etc/kubernetes/pkiclusterName: kubernetescontrollerManager: {}dns:type: CoreDNSetcd:local:dataDir: /var/lib/etcdimageRepository: registry.aliyuncs.com/google_containerskind: ClusterConfigurationkubernetesVersion: v1.18.1# This location can add the address of the apiservercontrolPlaneEndpoint: "192.168.1.11:6443"...

Generate add master command

COPY# To use certificate-key, so first generate certificate-key$ kubeadm init phase upload-certs --upload-certsI0217 01:23:50.056394 19222 version.go:252] remote version is much newer: v1.20.2; falling back to: stable-1.18W0217 01:23:52.864011 19222 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io][upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace[upload-certs] Using certificate key:0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9$ kubeadm token create --print-join-command --certificate-key=0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9W0217 01:24:22.855390 23471 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]# Execute the following command on the node to be joined to join the cluster and become the masterkubeadm join 192.168.1.11:6443 --token 0ysckj.3vtjwoa28dw1z8xz     --discovery-token-ca-cert-hash sha256:c31906addf05434a967d68eb04a81fad38e90c04f2a86b899b5e41b1f919d3ae     --control-plane --certificate-key 0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9

Add a new node

COPY$ kubeadm token create --print-join-commandW0217 01:11:55.754155 73469 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]# Execute the following command on the node to be joined, and it will join the cluster as a nodekubeadm join 192.168.1.11:6443 --token 67v2qk.vhylz26xsgwk5f2h --discovery-token-ca-cert-hash sha256:c31906addf05434a967d68eb04a81fad38e90c04f2a86b899b5e41b1f919d3ae

Of course, you can also use the command generated by adding a new master to add a new node, as long as you don't add the --control-plane --certificate-key 0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9 part.