一,token的用途:
1,token是node节点用来连接master节点的令牌字串,
它和ca证书的hash值是把一台node节点加入到kubernetes集群时要使用的凭证
2, 通过kubeadm初始化后,都会提供node加入的token
默认生成的token的有效期为24小时,当过期之后,该token即不可用
这时我们可以用kubeadm来重新生成token
说明:刘宏缔的架构森林是一个专注架构的博客,地址:https://www.cnblogs.com/architectforest
对应的源码可以访问这里获取: https://github.com/liuhongdi/
说明:作者:刘宏缔 邮箱: 371125307@qq.com
二,用kubeadm管理token的例子:
1,列出所有的token
[root@kubemaster ~]# kubeadm token list
2,查看用kubeadm管理token的帮助信息
[root@kubemaster ~]# kubeadm token -h
查看token的create命令的帮助
[root@kubemaster ~]# kubeadm token create -h
3,创建一个token
[root@kubemaster ~]# kubeadm token create W0618 14:46:52.793862 96998 configset.go:202] WARNING: kubeadm cannot validate component configs
for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io] 0bawqm.38quzatonv75y6sr
查看已创建的token
[root@kubemaster ~]# kubeadm token list TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS 0bawqm.38quzatonv75y6sr 23h 2020-06-19T14:46:52+08:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
说明:可以看到:新生成token的默认过期时间是24小时
4,生成一个没有过期时间(永不过期)的token
#--ttl 0: 表示ttl没有过期时间
[root@kubemaster ~]# kubeadm token create --ttl 0 W0618 14:56:19.710949 105283 configset.go:202] WARNING: kubeadm cannot validate component configs
for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io] w56985.fiboh9v8vjqw2lap
查看已创建的token
[root@kubemaster ~]# kubeadm token list TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS 0bawqm.38quzatonv75y6sr 23h 2020-06-19T14:46:52+08:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token w56985.fiboh9v8vjqw2lap <forever><never> authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
5,删除一个token
[root@kubemaster ~]# kubeadm token delete w56985.fiboh9v8vjqw2lap bootstrap token "w56985” deleted
用list查看
[root@kubemaster ~]# kubeadm token list TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS 0bawqm.38quzatonv75y6sr 23h 2020-06-19T14:46:52+08:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
已成功删除
6,一步生成新增集群节点的命令:
#--print-join-command:直接生成kubeadm的join命令
[root@kubemaster ~]# kubeadm token create --print-join-command W0618 15:07:30.243762 115106 configset.go:202] WARNING: kubeadm cannot validate component configs
for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io] kubeadm join 192.168.219.130:6443 --token cts238.khb7z4qwu1h6iens
--discovery-token-ca-cert-hash sha256:c718e29ccb1883715489a3fdf53dd810a7764ad038c50fd62a2246344a4d9a73
三,手动得到ca证书的hash值:
#-sha256:指定使用-sha256安全散列算法
[root@kubemaster ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' c718e29ccb1883715489a3fdf53dd810a7764ad038c50fd62a2246344a4d9a73
节点加入集群的命令形如:
kubeadm join 192.168.219.130:6443 --token cts238.khb7z4qwu1h6iens
--discovery-token-ca-cert-hash sha256:c718e29ccb1883715489a3fdf53dd810a7764ad038c50fd62a2246344a4d9a73
四,查看kubernetes的版本
[root@kubemaster ~]# kubelet --version Kubernetes v1.18.3 [root@kubemaster ~]# kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40",
GitTreeState:"clean", BuildDate:"2020-05-20T12:49:29Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64”}
五,查看linux的版本
[root@kubemaster ~]# cat /etc/redhat-release CentOS Linux release 8.2.2004 (Core) [root@kubemaster ~]# uname -r 4.18.0-193.el8.x86_64