Kubernetes加入集群的TOKEN值过期
当Kubernetes集群的master节点init完成后,会输出join命令,以便用户用来将其他节点加入,如下
kubeadm join 192.168.1.11:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:063cf8ade66033addf58f5d1a453aab0b1ec5ff023327bc10156935875baa7ad 而如上命令的token值的有效期只有24小时,通过以下命令查看,TTL就是token的有效时长
$ kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
2tmuf8.gi... 23h 2021-01-25T1... authentication,signing The default bootstrap... system:bootstrappers:...当init后的这个token过期之后应该怎么让新的节点重新加入集群
加入新的master节点
这里有一点需要注意,如果部署集群进行init时未指定
controlPlaneEndpoint,则不能加入新的master,一般该项的值为Keepalived VIP,或者某一台master的ip:6443也就是集群的api地址即可,否则在加入新的master时会报错。
添加controlPlaneEndpoint
如果集群中只有一个master节点,可以在kube-apiserver中添加
controlPlaneEndpoint参数,该参数的值为master节点ip。如果是多master则跳过
$ kubectl edit cm -n kube-system kubeadm-config
apiVersion: v1
data:
ClusterConfiguration: |
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.18.1
# 这个位置添加apiserver的地址即可
controlPlaneEndpoint: "192.168.1.11:6443"
...生成添加master命令
# 要用到certificate-key,所以先生成certificate-key
$ kubeadm init phase upload-certs --upload-certs
I0217 01:23:50.056394 19222 version.go:252] remote version is much newer: v1.20.2; falling back to: stable-1.18
W0217 01:23:52.864011 19222 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
[upload-certs] Using certificate key:
0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9
$ kubeadm token create --print-join-command --certificate-key=0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9
W0217 01:24:22.855390 23471 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
# 在待加入节点执行以下这条命令即可加入集群成为master
kubeadm join 192.168.1.11:6443 --token 0ysckj.3vtjwoa28dw1z8xz --discovery-token-ca-cert-hash sha256:c31906addf05434a967d68eb04a81fad38e90c04f2a86b899b5e41b1f919d3ae --control-plane --certificate-key 0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9加入新的node节点
$ kubeadm token create --print-join-command
W0217 01:11:55.754155 73469 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
# 在待加入节点执行以下这条命令,将会以node的身份加入集群
kubeadm join 192.168.1.11:6443 --token 67v2qk.vhylz26xsgwk5f2h --discovery-token-ca-cert-hash sha256:c31906addf05434a967d68eb04a81fad38e90c04f2a86b899b5e41b1f919d3ae当然也可以使用加入新master的方法生成的命令加入新node,只要不加--control-plane --certificate-key 0787d9b7f5abf63dd94570b1a8c6a2aa73421019bb45bd9a7ea24893f48e4ef9这部分即可。
建议
无论是搭建单master集群还是多master集群,都加上controlPlaneEndpoint参数
博客内容遵循 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0) 协议
