查看 token
kubeadm token list 查看过期时间和token,初始化的token是一天时长
详细查看
# 查看token密钥
[root@master k8s]# kubectl get secrets -n kube-system
NAME TYPE DATA AGE
bootstrap-token-h3j3ns bootstrap.kubernetes.io/token 7 168m
# 其他插件的日志与token密钥
[root@master k8s]# kubectl get secrets -A
NAMESPACE NAME TYPE DATA AGE
calico-apiserver calico-apiserver-certs Opaque 2 120m
calico-system node-certs Opaque 2 154m
calico-system typha-certs Opaque 2 154m
kube-system bootstrap-token-h3j3ns bootstrap.kubernetes.io/token 7 169m
tigera-operator calico-apiserver-certs Opaque 2 120m
tigera-operator node-certs Opaque 2 154m
tigera-operator tigera-ca-private Opaque 2 154m
tigera-operator typha-certs Opaque 2 154m
[root@master k8s]# kubectl get secrets -n kube-system bootstrap-token-h3j3ns -oyaml
apiVersion: v1
data:
auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
description: VGhlIGRlZmF1bHQgYm9vdHN0cmFwIHRva2VuIGdlbmVyYXRlZCBieSAna3ViZWFkbSBpbml0Jy4=
expiration: MjAyMy0wMi0wM1QxMjoxMToxM1o=
token-id: aDNqM25z
token-secret: bmI5eGwycDV6MW1uYTB4eA==
usage-bootstrap-authentication: dHJ1ZQ==
usage-bootstrap-signing: dHJ1ZQ==
kind: Secret
metadata:
creationTimestamp: "2023-02-02T12:11:13Z"
name: bootstrap-token-h3j3ns
namespace: kube-system
resourceVersion: "209"
uid: 26807d30-dcfd-4034-a658-820f7a0c842f
type: bootstrap.kubernetes.io/token
expiration 字段是其过期时间,base64加密
[root@master k8s]# echo "MjAyMy0wMi0wM1QxMjoxMToxM1o=" | base64 --decode
2023-02-03T12:11:13Z
# 可以看到是 2023年 2月 3日 12点过期
生成 token
#删除现有token
[root@master k8s]# kubectl delete secrets -n kube-system bootstrap-token-h3j3ns
secret "bootstrap-token-h3j3ns" deleted
# 生产 node 节点 token
[root@master k8s]# kubeadm token create --print-join-command --cri-socket unix:///var/run/cri-dockerd.sock
kubeadm join 192.168.100.53:6443 --token 5h02s0.n7htz6mfdlg8kh40 --discovery-token-ca-cert-hash sha256:7f81fa35fc8f5d8640a167634df99d7f6998c28e996748f16ee86f422641119a
# 注意如果是1.20以上版本要加上这个才能使用 --cri-socket unix:///var/run/cri-dockerd.sock
生成 master 的 token
[root@master k8s]# kubeadm token create --print-join-command
kubeadm join 192.168.100.53:6443 --token 5h02s0.n7htz6mfdlg8kh40 --discovery-token-ca-cert-hash sha256:7f81fa35fc8f5d8640a167634df99d7f6998c28e996748f16ee86f422641119a
[root@master k8s]# kubeadm init phase upload-certs --upload-certs
[upload-certs] Using certificate key:
6d7089e97b8c96ac7ad478173c7928e5becdf1faed85ccd2d4654b8dc514fc32
# 将certificate key,与上面的进行拼接,得出如下
kubeadm join 10.136.17.12:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:2fbacdf6a9473d5da1d98900f73cxxx772b12ac99017d6ae756d8c3cc \
--control-plane --certificate-key f0725584c26c192478d266c4dc5804a1ss5d7b40257837eea0676d1972cca
# 注意如果是1.20以上版本要加上这个才能使用 --cri-socket unix:///var/run/cri-dockerd.sock
永久 token
--ttl 0 参数
[root@master k8s]# kubeadm token create --print-join-command --ttl 0
kubeadm join 192.168.100.53:6443 --token 7blbsw.pthel6ipumqnwjza --discovery-token-ca-cert-hash sha256:7f81fa35fc8f5d8640a167634df99d7f6998c28e996748f16ee86f422641119a
# 注意如果是1.20以上版本并使用docker容器运行时才要加上这个才能使用 --cri-socket unix:///var/run/cri-dockerd.sock
# 查看
[root@master k8s]# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
5h02s0.n7htz6mfdlg8kh40 23h 2023-02-03T15:09:24Z authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
7blbsw.pthel6ipumqnwjza <forever> <never> authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
# 删除原先1天时长的token
[root@master k8s]# kubeadm token delete 5h02s0.n7htz6mfdlg8kh40
bootstrap token "5h02s0" deleted
更新 token
就是重新加入node,例子如下面更新node1
# master 删除 node1
[root@master k8s]# kubectl delete node node1
node "node1" deleted
# 更新 node1 节点执行命令
rm -rf /etc/kubernetes/kubelet.conf
rm -rf /etc/kubernetes/pki/ca.crt
systemctl restart kubelet.service
kubeadm join 192.168.100.53:6443 --token 7blbsw.pthel6ipumqnwjza --discovery-token-ca-cert-hash sha256:7f81fa35fc8f5d8640a167634df99d7f6998c28e996748f16ee86f422641119a --cri-socket unix:///var/run/cri-dockerd.sock