通常,k8s的一个token的有效期是24h,超过这个时间后如果还有node节点需要加入集群,就要重新生成token
step1.
通过kubeadm token create
指令创建一个token
root@master:/# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
nm9rfu.tz5sficog0xnwlsj 23h 2023-08-07T01:20:09Z authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
记住这个TTL为23h的token
step2.
通过openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
查看sha256编码
root@master:/# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
d18dd90b7d00b0828b11636ac879f51646f524af2bc4f41a553dcdb004465699
step3.
组合刚刚生成的token以及sha256值:
root@node02:/# kubeadm join 192.168.67.143:6443 --token nm9rfu.tz5sficog0xnwlsj \
> --discovery-token-ca-cert-hash sha256:d18dd90b7d00b0828b11636ac879f51646f524af2bc4f41a553dcdb004465699
然后在需要加入集群的node节点运行kubeadm join