pki token 生成java,kubeadm 生成的token过期后，集群增加节点

最新推荐文章于 2023-06-19 22:49:42 发布

特殊后勤小干事

最新推荐文章于 2023-06-19 22:49:42 发布

阅读量161

点赞数

文章标签： pki token 生成java

通过kubeadm初始化后，都会提供node加入的token。

[root@walker-1 kubernetes]# kubeadm init --config ./kubeadm-init.yaml --skip-preflight-checks

[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.

[init] Using Kubernetes version: v1.8.1

[init] Using Authorization modes: [Node RBAC]

[preflight] Skipping pre-flight checks

[kubeadm] WARNING: starting in 1.8, tokens expire after 24 hours by default (if you require a non-expiring token use --token-ttl 0)

[certificates] Generated ca certificate and key.

[certificates] Generated apiserver certificate and key.

[certificates] apiserver serving cert is signed for DNS names [walker-1.novalocal kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local walker-1.novalocal walker-2.novalocal] and IPs [10.96.0.1 172.16.6.47 172.16.6.47 172.16.6.249 172.16.6.79]

[certificates] Generated apiserver-kubelet-client certificate and key.

[certificates] Generated sa key and public key.

[certificates] Generated front-proxy-ca certificate and key.

[certificates] Generated front-proxy-client certificate and key.

[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"

...

You can now join any number of machines by running the following on each node

as root:

kubeadm join --token 19f284.da47998c9abb01d3 172.16.6.47:6443 --discovery-token-ca-cert-hash sha256:0fd95a9bc67a7bf0ef42da968a0d55d92e52898ec37c971bd77ee501d845b538

默认token的有效期为24小时，当过期之后，该token就不可用了。解决方法如下：

重新生成新的token

[root@walker-1 kubernetes]# kubeadm token create

[kubeadm] WARNING: starting in 1.8, tokens expire after 24 hours by default (if you require a non-expiring token use --ttl 0)

aa78f6.8b4cafc8ed26c34f

[root@walker-1 kubernetes]# kubeadm token list

TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS

aa78f6.8b4cafc8ed26c34f 23h 2017-12-26T16:36:29+08:00 authentication,signing system:bootstrappers:kubeadm:default-node-token

获取ca证书sha256编码hash值

[root@walker-1 kubernetes]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

0fd95a9bc67a7bf0ef42da968a0d55d92e52898ec37c971bd77ee501d845b538

节点加入集群

[root@walker-4 kubernetes]# kubeadm join --token aa78f6.8b4cafc8ed26c34f --discovery-token-ca-cert-hash sha256:0fd95a9bc67a7bf0ef42da968a0d55d92e52898ec37c971bd77ee501d845b538 172.16.6.79:6443 --skip-preflight-checks

特殊后勤小干事

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
pki token 生成java,kubeadm 生成的token过期后，集群增加节点

通过kubeadm初始化后，都会提供node加入的token。[root@walker-1 kubernetes]# kubeadm init --config ./kubeadm-init.yaml --skip-preflight-checks[kubeadm] WARNING: kubeadm is in beta, please do not use it for production c...
复制链接

扫一扫