kubernetes:用kubeadm管理token(kubernetes 1.18.3)

一，token的用途:

1，token是node節點用來連接master節點的令牌字串，

    它和ca證書的hash值是把一台node節點加入到kubernetes集群時要使用的憑證

2, 通過kubeadm初始化后，都會提供node加入的token

    默認生成的token的有效期為24小時，當過期之后，該token即不可用

    這時我們可以用kubeadm來重新生成token

 

說明：劉宏締的架構森林是一個專注架構的博客，地址：https://www.cnblogs.com/architectforest

         對應的源碼可以訪問這里獲取： https://github.com/liuhongdi/

說明：作者:劉宏締 郵箱: 371125307@qq.com

 

二，用kubeadm管理token的例子：

1，列出所有的token

[root@kubemaster ~]# kubeadm token list

 

2,查看用kubeadm管理token的幫助信息

[root@kubemaster ~]# kubeadm token -h

查看token的create命令的幫助

[root@kubemaster ~]# kubeadm token create -h

 

3,創建一個token

[root@kubemaster ~]# kubeadm token create
W0618 14:46:52.793862   96998 configset.go:202] WARNING: kubeadm cannot validate component configs 
for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
0bawqm.38quzatonv75y6sr

 

查看已創建的token

[root@kubemaster ~]# kubeadm token list
TOKEN                     TTL  EXPIRES                     USAGES                   DESCRIPTION   EXTRA GROUPS
0bawqm.38quzatonv75y6sr   23h  2020-06-19T14:46:52+08:00   authentication,signing   <none>        system:bootstrappers:kubeadm:default-node-token

說明：可以看到:新生成token的默認過期時間是24小時

 

4,生成一個沒有過期時間(永不過期)的token

#--ttl 0: 表示ttl沒有過期時間

[root@kubemaster ~]# kubeadm token create --ttl 0
W0618 14:56:19.710949  105283 configset.go:202] WARNING: kubeadm cannot validate component configs 
for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
w56985.fiboh9v8vjqw2lap

查看已創建的token

[root@kubemaster ~]# kubeadm token list
TOKEN                     TTL      EXPIRES                   USAGES                   DESCRIPTION EXTRA GROUPS
0bawqm.38quzatonv75y6sr   23h      2020-06-19T14:46:52+08:00 authentication,signing   <none>      system:bootstrappers:kubeadm:default-node-token
w56985.fiboh9v8vjqw2lap   <forever><never>                   authentication,signing   <none>      system:bootstrappers:kubeadm:default-node-token

 

5,刪除一個token

[root@kubemaster ~]# kubeadm token delete w56985.fiboh9v8vjqw2lap
bootstrap token "w56985” deleted

 

用list查看

[root@kubemaster ~]# kubeadm token list
TOKEN                   TTL  EXPIRES                   USAGES                 DESCRIPTION EXTRA GROUPS
0bawqm.38quzatonv75y6sr 23h  2020-06-19T14:46:52+08:00 authentication,signing <none>      system:bootstrappers:kubeadm:default-node-token 

已成功刪除

 

6,一步生成新增集群節點的命令:

#--print-join-command:直接生成kubeadm的join命令 

[root@kubemaster ~]# kubeadm token create --print-join-command
W0618 15:07:30.243762  115106 configset.go:202] WARNING: kubeadm cannot validate component configs 
for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
kubeadm join 192.168.219.130:6443 --token cts238.khb7z4qwu1h6iens    \
 --discovery-token-ca-cert-hash sha256:c718e29ccb1883715489a3fdf53dd810a7764ad038c50fd62a2246344a4d9a73

 

三,手動得到ca證書的hash值:

#-sha256:指定使用-sha256安全散列算法

[root@kubemaster ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
c718e29ccb1883715489a3fdf53dd810a7764ad038c50fd62a2246344a4d9a73

 

節點加入集群的命令形如：

kubeadm join 192.168.219.130:6443 --token cts238.khb7z4qwu1h6iens     \
--discovery-token-ca-cert-hash sha256:c718e29ccb1883715489a3fdf53dd810a7764ad038c50fd62a2246344a4d9a73

 

四，查看kubernetes的版本

[root@kubemaster ~]# kubelet --version
Kubernetes v1.18.3
[root@kubemaster ~]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40",
 GitTreeState:"clean", BuildDate:"2020-05-20T12:49:29Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64”}

 

五，查看linux的版本

[root@kubemaster ~]# cat /etc/redhat-release
CentOS Linux release 8.2.2004 (Core)
[root@kubemaster ~]# uname -r
4.18.0-193.el8.x86_64