由于K8S集群的Node节点是不确定的,所以在集群刚创建完成之后,会提示出一个Node节点加入集群的命令。但是由于后续可能还会有新的节点加入,刚创建时生成的命令,据查只有24小时的有效期,因此,如果后续需要有新的Node节点加入,那么就需要重新生成token,进而拼接处加入master的命令。如下介绍如何在后期生成加入master节点的方法:
第一步:创建token
[root@master ~]# kubeadm token create
W1214 21:11:47.212338 14555 validation.go:28] Cannot validate kube-proxy config - no validator is available
W1214 21:11:47.212379 14555 validation.go:28] Cannot validate kubelet config - no validator is available
mzo4hb.metsry8kfcewfk66
第二步:查看生成的token是否有效
[root@master ~]# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
mzo4hb.metsry8kfcewfk66 23h 2022-12-15T21:11:47+08:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
of2h01.ecia09q615cdfg4y <invalid> 2022-12-12T21:30:29+08:00 authentication,signing The default bootstrap token generated by 'kubeadm init'. system:bootstrappers:kubeadm:default-node-token
可以看到,第一步创建的token已经在token列表中,并且国企日期为24小时之后
第三步:使用生成的token获取CA证书 sha256 编码 hash 值
[root@master ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
c5fb43a6e955b2f275786829bd64d831c6b8546634762ab39eb8246c32a027c3
[root@master ~]#
第四步:在Node节点执行加入命令
[root@node1 ~]# kubeadm join 192.168.106.100:6443 --token mzo4hb.metsry8kfcewfk66 --discovery-token-ca-cert-hash sha256:c5fb43a6e955b2f275786829bd64d831c6b8546634762ab39eb8246c32a027c3
W1214 21:14:03.776207 16317 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.17" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
[root@node1 ~]#
第五步:验证Node节点是否添加成功
在未执行第四步之前,执行查看Node节点命令时,显示如下内容,可见只有master节点可见
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master NotReady master 2d23h v1.17.4
在执行完第四步之后,重新执行查看Node节点的命令
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master NotReady master 2d23h v1.17.4
node1 NotReady <none> 9m32s v1.17.4
[root@master ~]#
如上所示,Node节点已添加到集群中。
至此后期新加Node节点的操作执行完毕。注意,第一步中生成的token有效期只有24小时,如果超过24小时后有新节点加入,那么需要重新执行第一步开始。